From c5b7e1cb3bb7805474faf409eb48ef441360fe29 Mon Sep 17 00:00:00 2001 From: Hui Wang Date: Thu, 5 Dec 2024 12:01:54 +0800 Subject: [PATCH] doc: fix basic cluster role yaml for operator (#1177) --- config/rbac/role.yaml | 504 +++++++----------------------------------- 1 file changed, 84 insertions(+), 420 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 2a2ef1ad..33966701 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -6,323 +6,62 @@ metadata: app.kubernetes.io/managed-by: kustomize name: operator rules: +- nonResourceURLs: + - /metrics + - /metrics/resources + verbs: + - get + - watch + - list - apiGroups: - "" resources: - configmaps - configmaps/finalizers - verbs: - - '*' -- apiGroups: - - "" - resources: - endpoints - verbs: - - '*' -- apiGroups: - - "" - resources: - events - verbs: - - '*' -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - persistentvolumeclaims - persistentvolumeclaims/finalizers - verbs: - - '*' -- apiGroups: - - "" - resources: - pods - verbs: - - '*' -- apiGroups: - - "" - resources: - secrets - secrets/finalizers + - services + - services/finalizers + - serviceaccounts + - serviceaccounts/finalizers verbs: - - '*' + - "*" - apiGroups: - "" resources: - - services - - services/finalizers + - configmaps/status + - nodes + - nodes/proxy + - nodes/metrics + - namespaces verbs: - - '*' + - get + - list + - watch - apiGroups: - apps resources: - deployments - deployments/finalizers - verbs: - - '*' -- apiGroups: - - apps - resources: - replicasets - verbs: - - '*' -- apiGroups: - - apps - resources: - statefulsets - statefulsets/finalizers - statefulsets/status verbs: - - '*' -- apiGroups: - - policy - resources: - - poddisruptionbudgets - - poddisruptionbudgets/finalizers - verbs: - - '*' + - "*" - apiGroups: - monitoring.coreos.com resources: - - '*' - verbs: - - '*' -- apiGroups: - - operator.victoriametrics.com - resources: - - vmagents - - vmagents/finalizers + - "*" verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - "*" - apiGroups: - - operator.victoriametrics.com - resources: - - vmagents/status - verbs: - - get - - patch - - update -- apiGroups: - - operator.victoriametrics.com - resources: - - vmalertmanagers - - vmalertmanagers/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.victoriametrics.com - resources: - - vmalertmanagers/status - verbs: - - get - - patch - - update -- apiGroups: - - operator.victoriametrics.com - resources: - - vmalerts - - vmalerts/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.victoriametrics.com - resources: - - vmalerts/status - verbs: - - get - - patch - - update -- apiGroups: - - operator.victoriametrics.com - resources: - - vmclusters - - vmclusters/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.victoriametrics.com - resources: - - vmclusters/status - verbs: - - get - - patch - - update -- apiGroups: - - operator.victoriametrics.com - resources: - - vmpodscrapes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.victoriametrics.com - resources: - - vmpodscrapes/status - verbs: - - get - - patch - - update -- apiGroups: - - operator.victoriametrics.com - resources: - - vmrules - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.victoriametrics.com - resources: - - vmrules/status - verbs: - - get - - patch - - update -- apiGroups: - - operator.victoriametrics.com - resources: - - vmservicescrapes - - vmscrapeconfigs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.victoriametrics.com - resources: - - vmservicescrapes/status - - vmscrapeconfigs/status - verbs: - - get - - patch - - update -- apiGroups: - - operator.victoriametrics.com - resources: - - vmprobes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.victoriametrics.com - resources: - - vmprobes/status - verbs: - - get - - patch - - update -- apiGroups: - - operator.victoriametrics.com - resources: - - vmsingles - - vmsingles/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.victoriametrics.com - resources: - - vmsingles/status - verbs: - - get - - patch - - update -- apiGroups: - - "discovery.k8s.io" - resources: - - endpointslices - verbs: - - 'list' - - 'watch' - - 'get' -- apiGroups: - - "" - resources: - - nodes - - nodes/proxy - - nodes/metrics - - services - - endpoints - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - extensions - - "extensions" - - networking.k8s.io - - "networking.k8s.io" - resources: - - ingresses - verbs: - - get - - list - - watch - - delete -- nonResourceURLs: - - "/metrics" - - "/metrics/resources" - verbs: - - get - - watch - - list -- apiGroups: - - "rbac.authorization.k8s.io" + - rbac.authorization.k8s.io resources: - clusterrolebindings - clusterrolebindings/finalizers @@ -331,56 +70,7 @@ rules: - roles - rolebindings verbs: - - get - - list - - create - - patch - - update - - watch - - delete -- apiGroups: - - "" - resources: - - serviceaccounts - - serviceaccounts/finalizers - verbs: - - get - - list - - create - - watch - - delete - - patch - - update -- apiGroups: - - operator.victoriametrics.com - resources: - - vmnodescrapes - - vmnodescrapes/finalizers - verbs: - - '*' -- apiGroups: - - operator.victoriametrics.com - resources: - - vmnodescrapes/status - verbs: - - get - - patch - - update -- apiGroups: - - operator.victoriametrics.com - resources: - - vmstaticscrapes - - vmnodescrapes/finalizers - verbs: - - '*' -- apiGroups: - - operator.victoriametrics.com - resources: - - vmstaticscrapes/status - verbs: - - get - - patch - - update + - "*" - apiGroups: - storage.k8s.io resources: @@ -389,6 +79,13 @@ rules: - list - get - watch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + - poddisruptionbudgets/finalizers + verbs: + - "*" - apiGroups: - route.openshift.io - image.openshift.io @@ -399,71 +96,17 @@ rules: - get - apiGroups: - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.victoriametrics.com - resources: - - vmusers - - vmusers/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.victoriametrics.com - resources: - - vmusers/status verbs: - - get - - patch - - update -- apiGroups: - - operator.victoriametrics.com + - "*" resources: - - vmauths - - vmauths/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.victoriametrics.com - resources: - - vmauths/status - verbs: - - get - - patch - - update + - horizontalpodautoscalers - apiGroups: - networking.k8s.io - - extensions resources: - ingresses - ingresses/finalizers verbs: - - create - - delete - - get - - patch - - update - - watch + - "*" - apiGroups: - apiextensions.k8s.io resources: @@ -472,42 +115,63 @@ rules: - get - list - apiGroups: - - operator.victoriametrics.com + - discovery.k8s.io resources: - - vmalertmanagerconfigs + - endpointslices verbs: - - create - - delete - - get - list - - patch - - update - watch -- apiGroups: - - operator.victoriametrics.com - resources: - - vmalertmanagerconfigs/status - verbs: - get - - patch - - update - apiGroups: - operator.victoriametrics.com resources: - vlogs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - operator.victoriametrics.com - resources: + - vlogs/finalizers - vlogs/status + - vmagents + - vmagents/finalizers + - vmagents/status + - vmalertmanagerconfigs + - vmalertmanagerconfigs/finalizers + - vmalertmanagerconfigs/status + - vmalertmanagers + - vmalertmanagers/finalizers + - vmalertmanagers/status + - vmalerts + - vmalerts/finalizers + - vmalerts/status + - vmauths + - vmauths/finalizers + - vmauths/status + - vmclusters + - vmclusters/finalizers + - vmclusters/status + - vmnodescrapes + - vmnodescrapes/finalizers + - vmnodescrapes/status + - vmpodscrapes + - vmpodscrapes/finalizers + - vmpodscrapes/status + - vmprobes + - vmprobes/finalizers + - vmprobes/status + - vmrules + - vmrules/finalizers + - vmrules/status + - vmscrapeconfigs + - vmscrapeconfigs/finalizers + - vmscrapeconfigs/status + - vmservicescrapes + - vmservicescrapes/finalizers + - vmservicescrapes/status + - vmsingles + - vmsingles/finalizers + - vmsingles/status + - vmstaticscrapes + - vmstaticscrapes/finalizers + - vmstaticscrapes/status + - vmusers + - vmusers/finalizers + - vmusers/status verbs: - - get - - patch - - update + - '*'