From 3d85fd00b777da75c75ab18de728a3f1de9ce97e Mon Sep 17 00:00:00 2001 From: Mohammed Mesaoudi Date: Thu, 23 Jan 2025 15:16:19 +0100 Subject: [PATCH] =?UTF-8?q?feat:=20Removed=20skr=20permission=20=20and=20c?= =?UTF-8?q?ache=20config=20for=20remote=20kyma=20&=20ModuleTemp=E2=80=A6?= =?UTF-8?q?=20(#2198)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Removed skr permission and cache config for remote kyma & ModuleTemplate resources * Removed e2e test for klm-controller-manager serviceAcount on kyma-system namespace. * Remove remoteNamespace field as it will be not used for the cache. --------- Co-authored-by: Benjamin Lindner <50365642+lindnerby@users.noreply.github.com> --- cmd/main.go | 2 +- .../namespace_bindings/kustomization.yaml | 2 - config/rbac/namespace_bindings/skr_role.yaml | 43 ------------------- .../namespace_bindings/skr_role_binding.yaml | 12 ------ internal/cache_options.go | 20 ++++----- tests/e2e/rbac_privileges_test.go | 32 -------------- .../controller/eventfilters/suite_test.go | 2 +- .../integration/controller/kcp/suite_test.go | 2 +- .../integration/controller/kyma/suite_test.go | 2 +- .../mandatorymodule/deletion/suite_test.go | 2 +- .../installation/suite_test.go | 2 +- .../custom_resource_check/suite_test.go | 2 +- .../controller/manifest/suite_test.go | 2 +- .../controller/moduletemplate/suite_test.go | 2 +- .../controller/purge/suite_test.go | 2 +- .../controller/withwatcher/suite_test.go | 2 +- 16 files changed, 19 insertions(+), 112 deletions(-) delete mode 100644 config/rbac/namespace_bindings/skr_role.yaml delete mode 100644 config/rbac/namespace_bindings/skr_role_binding.yaml diff --git a/cmd/main.go b/cmd/main.go index d2b10cfada..578f1cf49f 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -116,7 +116,7 @@ func main() { } cacheOptions := internal.GetCacheOptions(flagVar.IsKymaManaged, flagVar.IstioNamespace, - flagVar.IstioGatewayNamespace, flagVar.RemoteSyncNamespace) + flagVar.IstioGatewayNamespace) setupManager(flagVar, cacheOptions, scheme, setupLog) } diff --git a/config/rbac/namespace_bindings/kustomization.yaml b/config/rbac/namespace_bindings/kustomization.yaml index d1b8329d73..8e9a9d4f54 100644 --- a/config/rbac/namespace_bindings/kustomization.yaml +++ b/config/rbac/namespace_bindings/kustomization.yaml @@ -13,6 +13,4 @@ resources: - role_binding.yaml # Comment the following to disable manifest integration - watcher_certmanager_role.yaml - - skr_role.yaml - watcher_certmanager_role_binding.yaml - - skr_role_binding.yaml diff --git a/config/rbac/namespace_bindings/skr_role.yaml b/config/rbac/namespace_bindings/skr_role.yaml deleted file mode 100644 index 27bdb53aa4..0000000000 --- a/config/rbac/namespace_bindings/skr_role.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -# Give controller-manager permissions to the resources residing in kyma-system namespace on the SKR cluster -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: controller-manager-skr - namespace: kyma-system -rules: -- apiGroups: - - operator.kyma-project.io - resources: - - kymas - verbs: - - list - - watch - - delete - - get - - create - - patch - - update -- apiGroups: - - operator.kyma-project.io - resources: - - kymas/finalizers - verbs: - - update -- apiGroups: - - operator.kyma-project.io - resources: - - kymas/status - verbs: - - get - - patch - - update - - watch -- apiGroups: - - operator.kyma-project.io - resources: - - moduletemplates - verbs: - - list - - watch - - delete \ No newline at end of file diff --git a/config/rbac/namespace_bindings/skr_role_binding.yaml b/config/rbac/namespace_bindings/skr_role_binding.yaml deleted file mode 100644 index 2772232b08..0000000000 --- a/config/rbac/namespace_bindings/skr_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: controller-manager-skr - namespace: kyma-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: controller-manager-skr -subjects: - - kind: ServiceAccount - name: controller-manager diff --git a/internal/cache_options.go b/internal/cache_options.go index cc7a64a017..0af1f02130 100644 --- a/internal/cache_options.go +++ b/internal/cache_options.go @@ -19,10 +19,9 @@ type DefaultCacheOptions struct { } type KcpCacheOptions struct { - CacheOptions cache.Options - istioNamespace string - kcpNamespace string - remoteNamespace string + CacheOptions cache.Options + istioNamespace string + kcpNamespace string } func (c *DefaultCacheOptions) GetCacheOptions() cache.Options { @@ -47,14 +46,12 @@ func (c *KcpCacheOptions) GetCacheOptions() cache.Options { }, &v1beta2.Kyma{}: { Namespaces: map[string]cache.Config{ - c.remoteNamespace: {}, - c.kcpNamespace: {}, + c.kcpNamespace: {}, }, }, &v1beta2.ModuleTemplate{}: { Namespaces: map[string]cache.Config{ - c.remoteNamespace: {}, - c.kcpNamespace: {}, + c.kcpNamespace: {}, }, }, &v1beta2.ModuleReleaseMeta{}: { @@ -88,12 +85,11 @@ func (c *KcpCacheOptions) GetCacheOptions() cache.Options { } } -func GetCacheOptions(isKymaManaged bool, istioNamespace, kcpNamespace, remoteNamespace string) cache.Options { +func GetCacheOptions(isKymaManaged bool, istioNamespace, kcpNamespace string) cache.Options { if isKymaManaged { options := &KcpCacheOptions{ - istioNamespace: istioNamespace, - kcpNamespace: kcpNamespace, - remoteNamespace: remoteNamespace, + istioNamespace: istioNamespace, + kcpNamespace: kcpNamespace, } return options.GetCacheOptions() } diff --git a/tests/e2e/rbac_privileges_test.go b/tests/e2e/rbac_privileges_test.go index 1014f0fe90..588d2d1a34 100644 --- a/tests/e2e/rbac_privileges_test.go +++ b/tests/e2e/rbac_privileges_test.go @@ -199,38 +199,6 @@ var _ = Describe("RBAC Privileges", func() { Expect(GetRoleBindingRolePolicyRules(ctx, kcpClient, "klm-controller-manager-watcher-certmanager", "istio-system", istioSystemKlmRoleBindings)).To(Equal(istioNamespaceRoleRules)) - - By("And KLM Service Account has the correct RoleBindings in kyma-system namespace") - remoteNamespaceRoleRules := []apirbacv1.PolicyRule{ - { - APIGroups: []string{"operator.kyma-project.io"}, - Resources: []string{"kymas"}, - Verbs: []string{"list", "watch", "delete", "get", "create", "patch", "update"}, - }, - { - APIGroups: []string{"operator.kyma-project.io"}, - Resources: []string{"kymas/finalizers"}, - Verbs: []string{"update"}, - }, - { - APIGroups: []string{"operator.kyma-project.io"}, - Resources: []string{"kymas/status"}, - Verbs: []string{"get", "patch", "update", "watch"}, - }, - { - APIGroups: []string{"operator.kyma-project.io"}, - Resources: []string{"moduletemplates"}, - Verbs: []string{"list", "watch", "delete"}, - }, - } - kymaSystemKlmRoleBindings, err := ListKlmRoleBindings(kcpClient, ctx, "klm-controller-manager", - "kyma-system") - Expect(err).ToNot(HaveOccurred()) - Expect(kymaSystemKlmRoleBindings.Items).To(HaveLen(1)) - - Expect(GetRoleBindingRolePolicyRules(ctx, kcpClient, - "klm-controller-manager-skr", "kyma-system", - kymaSystemKlmRoleBindings)).To(Equal(remoteNamespaceRoleRules)) }) }) }) diff --git a/tests/integration/controller/eventfilters/suite_test.go b/tests/integration/controller/eventfilters/suite_test.go index 73d8354129..30ccfe248c 100644 --- a/tests/integration/controller/eventfilters/suite_test.go +++ b/tests/integration/controller/eventfilters/suite_test.go @@ -124,7 +124,7 @@ var _ = BeforeSuite(func() { BindAddress: randomPort, }, Scheme: k8sclientscheme.Scheme, - Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace), + Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace), }) Expect(err).ToNot(HaveOccurred()) diff --git a/tests/integration/controller/kcp/suite_test.go b/tests/integration/controller/kcp/suite_test.go index 784209be82..e1d7429ec4 100644 --- a/tests/integration/controller/kcp/suite_test.go +++ b/tests/integration/controller/kcp/suite_test.go @@ -124,7 +124,7 @@ var _ = BeforeSuite(func() { BindAddress: UseRandomPort, }, Scheme: k8sclientscheme.Scheme, - Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace), + Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace), }) Expect(err).ToNot(HaveOccurred()) diff --git a/tests/integration/controller/kyma/suite_test.go b/tests/integration/controller/kyma/suite_test.go index 0e43ca2a3f..bd780f071f 100644 --- a/tests/integration/controller/kyma/suite_test.go +++ b/tests/integration/controller/kyma/suite_test.go @@ -122,7 +122,7 @@ var _ = BeforeSuite(func() { BindAddress: randomPort, }, Scheme: k8sclientscheme.Scheme, - Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace), + Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace), }) Expect(err).ToNot(HaveOccurred()) diff --git a/tests/integration/controller/mandatorymodule/deletion/suite_test.go b/tests/integration/controller/mandatorymodule/deletion/suite_test.go index 368fe36e80..2ed0011137 100644 --- a/tests/integration/controller/mandatorymodule/deletion/suite_test.go +++ b/tests/integration/controller/mandatorymodule/deletion/suite_test.go @@ -106,7 +106,7 @@ var _ = BeforeSuite(func() { BindAddress: useRandomPort, }, Scheme: k8sclientscheme.Scheme, - Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace), + Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace), }) Expect(err).ToNot(HaveOccurred()) diff --git a/tests/integration/controller/mandatorymodule/installation/suite_test.go b/tests/integration/controller/mandatorymodule/installation/suite_test.go index 6a77125541..38fb3eec1d 100644 --- a/tests/integration/controller/mandatorymodule/installation/suite_test.go +++ b/tests/integration/controller/mandatorymodule/installation/suite_test.go @@ -97,7 +97,7 @@ var _ = BeforeSuite(func() { BindAddress: useRandomPort, }, Scheme: k8sclientscheme.Scheme, - Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace), + Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace), }) Expect(err).ToNot(HaveOccurred()) diff --git a/tests/integration/controller/manifest/custom_resource_check/suite_test.go b/tests/integration/controller/manifest/custom_resource_check/suite_test.go index 4d4059fb30..5073fede57 100644 --- a/tests/integration/controller/manifest/custom_resource_check/suite_test.go +++ b/tests/integration/controller/manifest/custom_resource_check/suite_test.go @@ -114,7 +114,7 @@ var _ = BeforeSuite(func() { if !found { metricsBindAddress = ":0" } - cacheOpts := internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace) + cacheOpts := internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace) syncPeriod := 2 * time.Second cacheOpts.SyncPeriod = &syncPeriod diff --git a/tests/integration/controller/manifest/suite_test.go b/tests/integration/controller/manifest/suite_test.go index c79bbc1cba..a6967ac2ee 100644 --- a/tests/integration/controller/manifest/suite_test.go +++ b/tests/integration/controller/manifest/suite_test.go @@ -125,7 +125,7 @@ var _ = BeforeSuite(func() { BindAddress: metricsBindAddress, }, Scheme: k8sclientscheme.Scheme, - Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace), + Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace), }, ) Expect(err).ToNot(HaveOccurred()) diff --git a/tests/integration/controller/moduletemplate/suite_test.go b/tests/integration/controller/moduletemplate/suite_test.go index b0932cb05b..52fcd7f364 100644 --- a/tests/integration/controller/moduletemplate/suite_test.go +++ b/tests/integration/controller/moduletemplate/suite_test.go @@ -90,7 +90,7 @@ var _ = BeforeSuite(func() { BindAddress: randomPort, }, Scheme: k8sclientscheme.Scheme, - Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace), + Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace), }) Expect(err).ToNot(HaveOccurred()) diff --git a/tests/integration/controller/purge/suite_test.go b/tests/integration/controller/purge/suite_test.go index f028acd694..a117dbaef7 100644 --- a/tests/integration/controller/purge/suite_test.go +++ b/tests/integration/controller/purge/suite_test.go @@ -101,7 +101,7 @@ var _ = BeforeSuite(func() { BindAddress: useRandomPort, }, Scheme: k8sclientscheme.Scheme, - Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace), + Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace), }) Expect(err).ToNot(HaveOccurred()) diff --git a/tests/integration/controller/withwatcher/suite_test.go b/tests/integration/controller/withwatcher/suite_test.go index d481c9d137..2b9c96f205 100644 --- a/tests/integration/controller/withwatcher/suite_test.go +++ b/tests/integration/controller/withwatcher/suite_test.go @@ -145,7 +145,7 @@ var _ = BeforeSuite(func() { BindAddress: metricsBindAddress, }, Scheme: k8sclientscheme.Scheme, - Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace, RemoteNamespace), + Cache: internal.GetCacheOptions(false, "istio-system", ControlPlaneNamespace), }) Expect(err).ToNot(HaveOccurred())