fix(rbac): sync RBAC permissions with Helm charts.

Updates the Kubebuilder directives to be in sync with the RBAC used in the Helm charts to install Kuberwanden. Signed-off-by: José Guilherme Vanz <[email protected]>
kubewarden · Apr 8, 2024 · 9ed952a · 9ed952a
1 parent 7c588c4
commit 9ed952a
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 27 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -73,6 +73,32 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - policies.kubewarden.io
+  resources:
+  - policyservers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - policies.kubewarden.io
+  resources:
+  - policyservers/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - policies.kubewarden.io
+  resources:
+  - policyservers/status
+  verbs:
+  - get
+  - patch
+  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -132,29 +158,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - policies.kubewarden.io
-  resources:
-  - policyservers
-  verbs:
-  - delete
-  - get
-  - list
-  - watch
-- apiGroups:
-  - policies.kubewarden.io
-  resources:
-  - policyservers/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - policies.kubewarden.io
-  resources:
-  - policyservers/status
-  verbs:
-  - get
-  - patch
-  - update
 - apiGroups:
   - policy
   resources:

diff --git a/controllers/policyserver_controller.go b/controllers/policyserver_controller.go
@@ -50,11 +50,11 @@ type PolicyServerReconciler struct {
 // We need access to these resources only inside of the namespace where the
 // controller is deployed. Here we assume it's being deployed inside of the
 // `kubewarden` namespace, this has to be parametrized in the helm chart
-//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers,verbs=get;list;watch;delete
-//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers/status,verbs=get;update;patch
-//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers/finalizers,verbs=update
+//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers,verbs=get;list;watch;delete;create;update;patch
+//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers/finalizers,verbs=update
 //+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=secrets;services;configmaps,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=deployments,verbs=create;update;patch;delete;get;list;watch
 //+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets,verbs=get;list;watch
 //+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch
 //+kubebuilder:rbac:namespace=kubewarden,groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete