diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 77845891..49f3cd8c 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -25,6 +25,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: @@ -111,6 +112,7 @@ rules: resources: - designateapis/finalizers verbs: + - patch - update - apiGroups: - designate.openstack.org @@ -137,6 +139,7 @@ rules: resources: - designatebackendbind9s/finalizers verbs: + - patch - update - apiGroups: - designate.openstack.org @@ -163,6 +166,7 @@ rules: resources: - designatecentrals/finalizers verbs: + - patch - update - apiGroups: - designate.openstack.org @@ -189,6 +193,7 @@ rules: resources: - designatemdnses/finalizers verbs: + - patch - update - apiGroups: - designate.openstack.org @@ -215,6 +220,7 @@ rules: resources: - designateproducers/finalizers verbs: + - patch - update - apiGroups: - designate.openstack.org @@ -241,6 +247,7 @@ rules: resources: - designates/finalizers verbs: + - patch - update - apiGroups: - designate.openstack.org @@ -267,6 +274,7 @@ rules: resources: - designateunbounds/finalizers verbs: + - patch - update - apiGroups: - designate.openstack.org @@ -293,6 +301,7 @@ rules: resources: - designateworkers/finalizers verbs: + - patch - update - apiGroups: - designate.openstack.org @@ -359,6 +368,7 @@ rules: resources: - mariadbaccounts/finalizers verbs: + - patch - update - apiGroups: - mariadb.openstack.org @@ -392,6 +402,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: @@ -402,6 +413,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: diff --git a/controllers/designate_controller.go b/controllers/designate_controller.go index e0894c96..96e1f660 100644 --- a/controllers/designate_controller.go +++ b/controllers/designate_controller.go @@ -84,42 +84,42 @@ type DesignateReconciler struct { // +kubebuilder:rbac:groups=designate.openstack.org,resources=designates,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=designate.openstack.org,resources=designates/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=designate.openstack.org,resources=designates/finalizers,verbs=update +// +kubebuilder:rbac:groups=designate.openstack.org,resources=designates/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/finalizers,verbs=update +// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/finalizers,verbs=update +// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/finalizers,verbs=update +// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/finalizers,verbs=update +// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/finalizers,verbs=update +// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/finalizers,verbs=update +// +kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/finalizers,verbs=update +// +kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbdatabases,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update +// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;watch // +kubebuilder:rbac:groups=rabbitmq.openstack.org,resources=transporturls,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch // service account, role, rolebinding -// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch // service account permissions that are needed to grant permission to the above // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid;privileged,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch diff --git a/controllers/designateapi_controller.go b/controllers/designateapi_controller.go index f68c26b4..d852f807 100644 --- a/controllers/designateapi_controller.go +++ b/controllers/designateapi_controller.go @@ -90,7 +90,7 @@ var keystoneServices = []map[string]string{ //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/finalizers,verbs=update +//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateapis/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch diff --git a/controllers/designatebackendbind9_controller.go b/controllers/designatebackendbind9_controller.go index 5734b8b3..70d20ec9 100644 --- a/controllers/designatebackendbind9_controller.go +++ b/controllers/designatebackendbind9_controller.go @@ -77,7 +77,7 @@ type DesignateBackendbind9Reconciler struct { //+kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/finalizers,verbs=update +//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatebackendbind9s/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch diff --git a/controllers/designatecentral_controller.go b/controllers/designatecentral_controller.go index d0807085..787d2c92 100644 --- a/controllers/designatecentral_controller.go +++ b/controllers/designatecentral_controller.go @@ -78,7 +78,7 @@ func (r *DesignateCentralReconciler) GetLogger(ctx context.Context) logr.Logger //+kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/finalizers,verbs=update +//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatecentrals/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch diff --git a/controllers/designatemdns_controller.go b/controllers/designatemdns_controller.go index eeb77649..a41ac846 100644 --- a/controllers/designatemdns_controller.go +++ b/controllers/designatemdns_controller.go @@ -77,7 +77,7 @@ func (r *DesignateMdnsReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/finalizers,verbs=update +//+kubebuilder:rbac:groups=designate.openstack.org,resources=designatemdnses/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch diff --git a/controllers/designateproducer_controller.go b/controllers/designateproducer_controller.go index 6be79119..5fa6ae16 100644 --- a/controllers/designateproducer_controller.go +++ b/controllers/designateproducer_controller.go @@ -78,7 +78,7 @@ func (r *DesignateProducerReconciler) GetLogger(ctx context.Context) logr.Logger //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/finalizers,verbs=update +//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateproducers/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch diff --git a/controllers/designateunbound_controller.go b/controllers/designateunbound_controller.go index 6d3c7afd..ed955fda 100644 --- a/controllers/designateunbound_controller.go +++ b/controllers/designateunbound_controller.go @@ -55,7 +55,7 @@ type UnboundReconciler struct { //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/finalizers,verbs=update +//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateunbounds/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch // Reconcile implementation for designate's Unbound resolver diff --git a/controllers/designateworker_controller.go b/controllers/designateworker_controller.go index 196047f1..4c7c6910 100644 --- a/controllers/designateworker_controller.go +++ b/controllers/designateworker_controller.go @@ -77,7 +77,7 @@ func (r *DesignateWorkerReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/finalizers,verbs=update +//+kubebuilder:rbac:groups=designate.openstack.org,resources=designateworkers/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch