clean up provisioner RBAC and reuse Contour RBAC for it #4438
Conversation
Tidies up provisioner RBAC markers and reuses the Contour RBAC file when generating the provisioner RBAC YAML instead of requiring all markers to be duplicated in the provisioner's file. Signed-off-by: Steve Kriss <krisss@vmware.com>
skriss
added
the
release-note/none-required
skriss
requested review from
stevesloka and
youngnick
and removed request for
a team
| @@ -87,7 +88,7 @@ func desiredClusterRole(name string, contour *model.Contour) *rbacv1.ClusterRole | |||
| // Gateway API resources. | |||
| // Note, ReferencePolicy does not currently have a .status field so it's omitted from the status rule. | |||
| policyRuleFor(gatewayv1alpha2.GroupName, getListWatch, "gatewayclasses", "gateways", "httproutes", "tlsroutes", "referencepolicies"), | |||
| policyRuleFor(gatewayv1alpha2.GroupName, createGetUpdate, "gatewayclasses/status", "gateways/status", "httproutes/status", "tlsroutes/status"), | |||
| policyRuleFor(gatewayv1alpha2.GroupName, update, "gatewayclasses/status", "gateways/status", "httproutes/status", "tlsroutes/status"), | |||
There was a problem hiding this comment.
This was reduced to just update to match https://github.com/projectcontour/contour/blob/main/internal/k8s/rbac.go#L23
Codecov Report
@@ Coverage Diff @@
## main #4438 +/- ##
==========================================
+ Coverage 74.10% 74.12% +0.01%
==========================================
Files 137 137
Lines 12218 12219 +1
==========================================
+ Hits 9054 9057 +3
+ Misses 2966 2964 -2
Partials 198 198
|
| // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=get;list;delete;create;update;watch | ||
| // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;delete;create;update | ||
| // +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;delete;create;update | ||
| // This file only contains entries for RBAC that the Provisioner needs itself directly. |
There was a problem hiding this comment.
you were right i like this method of doing things a lot more!
| // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=get;list;watch;create;update;delete | ||
| // --- | ||
|
|
||
| // RBAC for leader election for the provisioner. | ||
| // +kubebuilder:rbac:groups="",resources=events,verbs=create;get;update,namespace=projectcontour |
There was a problem hiding this comment.
should be removable? tried w/o these couple lines and it didnt change the generated role
There was a problem hiding this comment.
Yeah I think this one is effectively duplicated with https://github.com/projectcontour/contour/blob/main/internal/k8s/rbac.go#L27-L29, hence why no change in the generated role, but I left it in here because the provisioner itself can do leader election, so even if Contour (for some reason) stopped doing leader election, the provisioner would still need it itself.
There was a problem hiding this comment.
ah right, good to eventually note somewhere if you want to deploy the provisioner in a custom namespace you'll have to change that part of the manifest 👍🏽
There was a problem hiding this comment.
idk if we properly documented that except maybe in release notes for the xds server itself
Tidies up provisioner RBAC markers and reuses
the Contour RBAC file when generating the
provisioner RBAC YAML instead of requiring all
markers to be duplicated in the provisioner's
file.
Signed-off-by: Steve Kriss krisss@vmware.com