Align RBAC rules

Align Helm RBAC Role template to the kubebuilder generated file in `config/rbac/role.yaml` Signed-off-by: Fred Rolland <frolland@nvidia.com>
rollandf · Oct 17, 2023 · c6f8256 · c6f8256
1 parent 0d2367d
commit c6f8256
Show file tree

Hide file tree

Showing 6 changed files with 91 additions and 32 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -205,6 +205,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - mellanox.com
+  resources:
+  - hostdevicenetworks/finalizers
+  verbs:
+  - update
 - apiGroups:
   - mellanox.com
   resources:
@@ -225,6 +231,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - mellanox.com
+  resources:
+  - ipoibnetworks/finalizers
+  verbs:
+  - update
 - apiGroups:
   - mellanox.com
   resources:
@@ -245,6 +257,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - mellanox.com
+  resources:
+  - macvlannetworks/finalizers
+  verbs:
+  - update
 - apiGroups:
   - mellanox.com
   resources:
@@ -266,6 +284,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - mellanox.com
+  resources:
+  - nicclusterpolicies/finalizers
+  verbs:
+  - update
 - apiGroups:
   - monitoring.coreos.com
   resources:

diff --git a/controllers/hostdevicenetwork_controller.go b/controllers/hostdevicenetwork_controller.go
@@ -50,6 +50,7 @@ type HostDeviceNetworkReconciler struct {
 
 //nolint:lll
 // +kubebuilder:rbac:groups=mellanox.com,resources=hostdevicenetworks,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=mellanox.com,resources=hostdevicenetworks/finalizers,verbs=update
 // +kubebuilder:rbac:groups=mellanox.com,resources=hostdevicenetworks/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;create;update;patch;delete
 

diff --git a/controllers/ipoibnetwork_controller.go b/controllers/ipoibnetwork_controller.go
@@ -50,6 +50,7 @@ type IPoIBNetworkReconciler struct {
 
 //nolint:lll
 // +kubebuilder:rbac:groups=mellanox.com,resources=ipoibnetworks,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=mellanox.com,resources=ipoibnetworks/finalizers,verbs=update
 // +kubebuilder:rbac:groups=mellanox.com,resources=ipoibnetworks/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;create;update;patch;delete
 

diff --git a/controllers/macvlannetwork_controller.go b/controllers/macvlannetwork_controller.go
@@ -52,6 +52,7 @@ type MacvlanNetworkReconciler struct {
 
 //nolint:lll
 // +kubebuilder:rbac:groups=mellanox.com,resources=macvlannetworks,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=mellanox.com,resources=macvlannetworks/finalizers,verbs=update
 // +kubebuilder:rbac:groups=mellanox.com,resources=macvlannetworks/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;create;update;patch;delete
 

diff --git a/controllers/nicclusterpolicy_controller.go b/controllers/nicclusterpolicy_controller.go
@@ -59,6 +59,7 @@ type NicClusterPolicyReconciler struct {
 
 //nolint:lll
 // +kubebuilder:rbac:groups=mellanox.com,resources=nicclusterpolicies;nicclusterpolicies/status,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=mellanox.com,resources=nicclusterpolicies/finalizers,verbs=update
 // +kubebuilder:rbac:groups=security.openshift.io,resourceNames=privileged,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=policy,resources=podsecuritypolicies,verbs=get;list;watch;create;update;patch;delete

diff --git a/deployment/network-operator/templates/role.yaml b/deployment/network-operator/templates/role.yaml
@@ -80,6 +80,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - apiextensions.k8s.io
   resources:
@@ -141,6 +153,19 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - issuers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - config.openshift.io
   resources:
@@ -173,13 +198,7 @@ rules:
 - apiGroups:
   - k8s.cni.cncf.io
   resources:
-  - '*'
-  verbs:
-  - '*'
-- apiGroups:
-  - mellanox.com
-  resources:
-  - '*'
+  - network-attachment-definitions
   verbs:
   - create
   - delete
@@ -200,6 +219,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - mellanox.com
+  resources:
+  - hostdevicenetworks/finalizers
+  verbs:
+  - update
 - apiGroups:
   - mellanox.com
   resources:
@@ -220,6 +245,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - mellanox.com
+  resources:
+  - ipoibnetworks/finalizers
+  verbs:
+  - update
 - apiGroups:
   - mellanox.com
   resources:
@@ -240,6 +271,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - mellanox.com
+  resources:
+  - macvlannetworks/finalizers
+  verbs:
+  - update
 - apiGroups:
   - mellanox.com
   resources:
@@ -248,6 +285,25 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - mellanox.com
+  resources:
+  - nicclusterpolicies
+  - nicclusterpolicies/status
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - mellanox.com
+  resources:
+  - nicclusterpolicies/finalizers
+  verbs:
+  - update
 - apiGroups:
   - monitoring.coreos.com
   resources:
@@ -333,28 +389,3 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingwebhookconfigurations
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - cert-manager.io
-  resources:
-  - certificates
-  - issuers
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch