From 402aa3ad97fdeef27677a018e428ba2e2e5cda29 Mon Sep 17 00:00:00 2001 From: Enrique Llorente Pastora Date: Thu, 19 Nov 2020 15:55:59 +0100 Subject: [PATCH] Generate operator RBACs using controller-gen (#638) At operator-sdk 1.y.z the RBACs are generate from annotations at Reconcile function in controllers, this PR do this but only for operator. Signed-off-by: Quique Llorente --- Makefile | 5 +- controllers/nmstate_controller.go | 6 +-- deploy/operator/role.yaml | 80 ++++++++++++++++--------------- 3 files changed, 48 insertions(+), 43 deletions(-) diff --git a/Makefile b/Makefile index d91867b08b..63ee4a9938 100644 --- a/Makefile +++ b/Makefile @@ -110,10 +110,13 @@ gen-k8s: $(CONTROLLER_GEN) gen-crds: $(CONTROLLER_GEN) $(CONTROLLER_GEN) $(CRD_OPTIONS) paths="./..." output:crd:artifacts:config=deploy/crds +gen-rbac: $(CONTROLLER_GEN) + $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=nmstate-operator paths="./controllers/nmstate_controller.go" output:rbac:artifacts:config=deploy/operator + check-gen: generate ./hack/check-gen.sh -generate: gen-k8s gen-crds +generate: gen-k8s gen-crds gen-rbac manifests: $(GO) $(GO) run hack/render-manifests.go -handler-prefix=$(HANDLER_PREFIX) -handler-namespace=$(HANDLER_NAMESPACE) -operator-namespace=$(OPERATOR_NAMESPACE) -handler-image=$(HANDLER_IMAGE) -operator-image=$(OPERATOR_IMAGE) -handler-pull-policy=$(HANDLER_PULL_POLICY) -operator-pull-policy=$(OPERATOR_PULL_POLICY) -input-dir=deploy/ -output-dir=$(MANIFESTS_DIR) diff --git a/controllers/nmstate_controller.go b/controllers/nmstate_controller.go index d9f9ea2f5c..75e2b0f697 100644 --- a/controllers/nmstate_controller.go +++ b/controllers/nmstate_controller.go @@ -49,9 +49,9 @@ type NMStateReconciler struct { Scheme *runtime.Scheme } -// +kubebuilder:rbac:groups="",resources=services;endpoints;persistentvolumeclaims;events;configmaps;secrets;pods,verbs="*",namespace=nmstate -// +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs="*",namespace=nmstate -// +kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs="*",namespace=nmstate +// +kubebuilder:rbac:groups="",resources=services;endpoints;persistentvolumeclaims;events;configmaps;secrets;pods,verbs="*",namespace="{{ .OperatorNamespace }}" +// +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs="*",namespace="{{ .OperatorNamespace }}" +// +kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs="*",namespace="{{ .OperatorNamespace }}" // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs="*" // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;rolebindings;roles,verbs="*" // +kubebuilder:rbac:groups=nmstate.io,resources="*",verbs="*" diff --git a/deploy/operator/role.yaml b/deploy/operator/role.yaml index 05577136d7..1fc938f804 100644 --- a/deploy/operator/role.yaml +++ b/deploy/operator/role.yaml @@ -1,87 +1,89 @@ + --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: creationTimestamp: null name: nmstate-operator - namespace: {{ .OperatorNamespace }} rules: - apiGroups: - "" resources: - - services - - endpoints - - persistentvolumeclaims - - events - configmaps - - secrets - - pods + - namespaces + - serviceaccounts + - statefulsets + verbs: + - '*' +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - '*' verbs: - '*' - apiGroups: - apps resources: - - deployments - daemonsets + - deployments - replicasets - statefulsets verbs: - '*' - apiGroups: - - policy + - nmstate.io resources: - - poddisruptionbudgets - verbs: - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: nmstate-operator - namespace: {{ .OperatorNamespace }} -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations verbs: - '*' - apiGroups: - rbac.authorization.k8s.io resources: - - clusterroles - clusterrolebindings + - clusterroles - rolebindings - roles verbs: - '*' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: nmstate-operator + namespace: '{{ .OperatorNamespace }}' +rules: - apiGroups: - - nmstate.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - apiextensions.k8s.io + - "" resources: - - '*' + - configmaps + - endpoints + - events + - persistentvolumeclaims + - pods + - secrets + - services verbs: - '*' - apiGroups: - apps resources: - - deployments - daemonsets + - deployments - replicasets - statefulsets verbs: - '*' - apiGroups: - - "" + - policy resources: - - serviceaccounts - - configmaps - - namespaces + - poddisruptionbudgets verbs: - - "*" + - '*'