Skip to content

Commit

Permalink
Adding patch rbac perm for serviceaccounts
Browse files Browse the repository at this point in the history 
We also took the opportunity and added patch to all the existing rbac
rules that had update already to avoid similar issues in the future

Resolves: https://issues.redhat.com/browse/OSPRH-8363

Signed-off-by: Martin Schuppert <[email protected]>
  • Loading branch information
@stuggi
stuggi committed Jul 4, 2024
1 parent 4aa930e commit c54cc0d
Show file tree
Hide file tree
Showing 9 changed files with 31 additions and 19 deletions.
12 changes: 12 additions & 0 deletions config/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ rules:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
Expand Down Expand Up @@ -111,6 +112,7 @@ rules:
resources:
- designateapis/finalizers
verbs:
- patch
- update
- apiGroups:
- designate.openstack.org
Expand All @@ -137,6 +139,7 @@ rules:
resources:
- designatebackendbind9s/finalizers
verbs:
- patch
- update
- apiGroups:
- designate.openstack.org
Expand All @@ -163,6 +166,7 @@ rules:
resources:
- designatecentrals/finalizers
verbs:
- patch
- update
- apiGroups:
- designate.openstack.org
Expand All @@ -189,6 +193,7 @@ rules:
resources:
- designatemdnses/finalizers
verbs:
- patch
- update
- apiGroups:
- designate.openstack.org
Expand All @@ -215,6 +220,7 @@ rules:
resources:
- designateproducers/finalizers
verbs:
- patch
- update
- apiGroups:
- designate.openstack.org
Expand All @@ -241,6 +247,7 @@ rules:
resources:
- designates/finalizers
verbs:
- patch
- update
- apiGroups:
- designate.openstack.org
Expand All @@ -267,6 +274,7 @@ rules:
resources:
- designateunbounds/finalizers
verbs:
- patch
- update
- apiGroups:
- designate.openstack.org
Expand All @@ -293,6 +301,7 @@ rules:
resources:
- designateworkers/finalizers
verbs:
- patch
- update
- apiGroups:
- designate.openstack.org
Expand Down Expand Up @@ -359,6 +368,7 @@ rules:
resources:
- mariadbaccounts/finalizers
verbs:
- patch
- update
- apiGroups:
- mariadb.openstack.org
Expand Down Expand Up @@ -392,6 +402,7 @@ rules:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
Expand All @@ -402,6 +413,7 @@ rules:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
Expand Down
24 changes: 12 additions & 12 deletions controllers/designate_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,42 +84,42 @@ type DesignateReconciler struct {

// +kubebuilder:rbac:groups=designate.openstack.org,resources=designates,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designates/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designates/finalizers,verbs=update
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designates/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/finalizers,verbs=update
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/finalizers,verbs=update
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/finalizers,verbs=update
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/finalizers,verbs=update
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/finalizers,verbs=update
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/finalizers,verbs=update
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/finalizers,verbs=update
// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;create;update;patch;delete;watch
// +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;create;update;patch;delete;watch
// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbdatabases,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update
// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;watch
// +kubebuilder:rbac:groups=rabbitmq.openstack.org,resources=transporturls,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch

// service account, role, rolebinding
// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update
// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update
// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update
// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch
// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch
// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch
// service account permissions that are needed to grant permission to the above
// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid;privileged,resources=securitycontextconstraints,verbs=use
// +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch
Expand Down
2 changes: 1 addition & 1 deletion controllers/designateapi_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ var keystoneServices = []map[string]string{

//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/finalizers,verbs=update
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch
Expand Down
2 changes: 1 addition & 1 deletion controllers/designatebackendbind9_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ type DesignateBackendbind9Reconciler struct {

//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/finalizers,verbs=update
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch
Expand Down
2 changes: 1 addition & 1 deletion controllers/designatecentral_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ func (r *DesignateCentralReconciler) GetLogger(ctx context.Context) logr.Logger

//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/finalizers,verbs=update
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch
Expand Down
2 changes: 1 addition & 1 deletion controllers/designatemdns_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ func (r *DesignateMdnsReconciler) GetLogger(ctx context.Context) logr.Logger {

//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/finalizers,verbs=update
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch
Expand Down
2 changes: 1 addition & 1 deletion controllers/designateproducer_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ func (r *DesignateProducerReconciler) GetLogger(ctx context.Context) logr.Logger

//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/finalizers,verbs=update
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch
Expand Down
2 changes: 1 addition & 1 deletion controllers/designateunbound_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ type UnboundReconciler struct {

//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/finalizers,verbs=update
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/finalizers,verbs=update;patch
//+kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch

// Reconcile implementation for designate's Unbound resolver
Expand Down
2 changes: 1 addition & 1 deletion controllers/designateworker_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ func (r *DesignateWorkerReconciler) GetLogger(ctx context.Context) logr.Logger {

//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/finalizers,verbs=update
//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch
Expand Down

0 comments on commit c54cc0d

Please sign in to comment.