Merge pull request openstack-k8s-operators#185 from stuggi/OSPRH-8363

Adding patch rbac perm for serviceaccounts
stuggi · Jul 4, 2024 · c2b1728 · c2b1728
2 parents 4aa930e + c54cc0d
commit c2b1728
Show file tree

Hide file tree

Showing 9 changed files with 31 additions and 19 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -25,6 +25,7 @@ rules:
   - create
   - get
   - list
+  - patch
   - update
   - watch
 - apiGroups:
@@ -111,6 +112,7 @@ rules:
   resources:
   - designateapis/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - designate.openstack.org
@@ -137,6 +139,7 @@ rules:
   resources:
   - designatebackendbind9s/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - designate.openstack.org
@@ -163,6 +166,7 @@ rules:
   resources:
   - designatecentrals/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - designate.openstack.org
@@ -189,6 +193,7 @@ rules:
   resources:
   - designatemdnses/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - designate.openstack.org
@@ -215,6 +220,7 @@ rules:
   resources:
   - designateproducers/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - designate.openstack.org
@@ -241,6 +247,7 @@ rules:
   resources:
   - designates/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - designate.openstack.org
@@ -267,6 +274,7 @@ rules:
   resources:
   - designateunbounds/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - designate.openstack.org
@@ -293,6 +301,7 @@ rules:
   resources:
   - designateworkers/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - designate.openstack.org
@@ -359,6 +368,7 @@ rules:
   resources:
   - mariadbaccounts/finalizers
   verbs:
+  - patch
   - update
 - apiGroups:
   - mariadb.openstack.org
@@ -392,6 +402,7 @@ rules:
   - create
   - get
   - list
+  - patch
   - update
   - watch
 - apiGroups:
@@ -402,6 +413,7 @@ rules:
   - create
   - get
   - list
+  - patch
   - update
   - watch
 - apiGroups:

diff --git a/controllers/designate_controller.go b/controllers/designate_controller.go
@@ -84,42 +84,42 @@ type DesignateReconciler struct {
 
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designates,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designates/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=designate.openstack.org,resources=designates/finalizers,verbs=update
+// +kubebuilder:rbac:groups=designate.openstack.org,resources=designates/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/finalizers,verbs=update
+// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/finalizers,verbs=update
+// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/finalizers,verbs=update
+// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/finalizers,verbs=update
+// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/finalizers,verbs=update
+// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/finalizers,verbs=update
+// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/finalizers,verbs=update
+// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;create;update;patch;delete;watch
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;create;update;patch;delete;watch
 // +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbdatabases,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update
+// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;watch
 // +kubebuilder:rbac:groups=rabbitmq.openstack.org,resources=transporturls,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch
 
 // service account, role, rolebinding
-// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update
-// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update
-// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update
+// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch
+// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch
+// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch
 // service account permissions that are needed to grant permission to the above
 // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid;privileged,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch

diff --git a/controllers/designateapi_controller.go b/controllers/designateapi_controller.go
@@ -90,7 +90,7 @@ var keystoneServices = []map[string]string{
 
 //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/finalizers,verbs=update
+//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch

diff --git a/controllers/designatebackendbind9_controller.go b/controllers/designatebackendbind9_controller.go
@@ -77,7 +77,7 @@ type DesignateBackendbind9Reconciler struct {
 
 //+kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/finalizers,verbs=update
+//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch

diff --git a/controllers/designatecentral_controller.go b/controllers/designatecentral_controller.go
@@ -78,7 +78,7 @@ func (r *DesignateCentralReconciler) GetLogger(ctx context.Context) logr.Logger
 
 //+kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/finalizers,verbs=update
+//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch

diff --git a/controllers/designatemdns_controller.go b/controllers/designatemdns_controller.go
@@ -77,7 +77,7 @@ func (r *DesignateMdnsReconciler) GetLogger(ctx context.Context) logr.Logger {
 
 //+kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/finalizers,verbs=update
+//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch

diff --git a/controllers/designateproducer_controller.go b/controllers/designateproducer_controller.go
@@ -78,7 +78,7 @@ func (r *DesignateProducerReconciler) GetLogger(ctx context.Context) logr.Logger
 
 //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/finalizers,verbs=update
+//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch

diff --git a/controllers/designateunbound_controller.go b/controllers/designateunbound_controller.go
@@ -55,7 +55,7 @@ type UnboundReconciler struct {
 
 //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/finalizers,verbs=update
+//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/finalizers,verbs=update;patch
 //+kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch
 
 // Reconcile implementation for designate's Unbound resolver

diff --git a/controllers/designateworker_controller.go b/controllers/designateworker_controller.go
@@ -77,7 +77,7 @@ func (r *DesignateWorkerReconciler) GetLogger(ctx context.Context) logr.Logger {
 
 //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/finalizers,verbs=update
+//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch