From 9ed952af31cc7c2a19ec8fb3d130adcddeed32f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Thu, 4 Apr 2024 12:00:13 -0300 Subject: [PATCH] fix(rbac): sync RBAC permissions with Helm charts. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the Kubebuilder directives to be in sync with the RBAC used in the Helm charts to install Kuberwanden. Signed-off-by: José Guilherme Vanz --- config/rbac/role.yaml | 49 ++++++++++++++------------ controllers/policyserver_controller.go | 8 ++--- 2 files changed, 30 insertions(+), 27 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index a0dfa514c..a4ffc5a83 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -73,6 +73,32 @@ rules: - get - patch - update +- apiGroups: + - policies.kubewarden.io + resources: + - policyservers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - policies.kubewarden.io + resources: + - policyservers/finalizers + verbs: + - update +- apiGroups: + - policies.kubewarden.io + resources: + - policyservers/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -132,29 +158,6 @@ rules: - get - list - watch -- apiGroups: - - policies.kubewarden.io - resources: - - policyservers - verbs: - - delete - - get - - list - - watch -- apiGroups: - - policies.kubewarden.io - resources: - - policyservers/finalizers - verbs: - - update -- apiGroups: - - policies.kubewarden.io - resources: - - policyservers/status - verbs: - - get - - patch - - update - apiGroups: - policy resources: diff --git a/controllers/policyserver_controller.go b/controllers/policyserver_controller.go index f49f68c0b..3516beae8 100644 --- a/controllers/policyserver_controller.go +++ b/controllers/policyserver_controller.go @@ -50,11 +50,11 @@ type PolicyServerReconciler struct { // We need access to these resources only inside of the namespace where the // controller is deployed. Here we assume it's being deployed inside of the // `kubewarden` namespace, this has to be parametrized in the helm chart -//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers,verbs=get;list;watch;delete -//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers/status,verbs=get;update;patch -//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers/finalizers,verbs=update +//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers,verbs=get;list;watch;delete;create;update;patch +//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers/finalizers,verbs=update //+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=secrets;services;configmaps,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=deployments,verbs=create;update;patch;delete;get;list;watch //+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets,verbs=get;list;watch //+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch //+kubebuilder:rbac:namespace=kubewarden,groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete