Keep basic permissions and remove wildcard* in NSS operator CSV (#285)

YCShen1010 · web-flow · commit a37e1f309451 · 2023-10-27T02:48:46.000+08:00
* Remove wildcard permission in NSS operator CSV

Signed-off-by: YuChen &lt;yuchen.shen@mail.utoronto.ca&gt;

* upgrade operator-sdk

Signed-off-by: YuChen &lt;yuchen.shen@mail.utoronto.ca&gt;

* add product name label

Signed-off-by: YuChen &lt;yuchen.shen@mail.utoronto.ca&gt;

---------

Signed-off-by: YuChen &lt;yuchen.shen@mail.utoronto.ca&gt;
diff --git a/Makefile b/Makefile
@@ -21,7 +21,7 @@ CONTROLLER_GEN ?= $(shell which controller-gen)
 KUSTOMIZE ?= $(shell which kustomize)
 YQ_VERSION=3.4.0
 KUSTOMIZE_VERSION=v3.8.7
-OPERATOR_SDK_VERSION=v1.20.0
+OPERATOR_SDK_VERSION=v1.32.0
 
 GOPATH=$(HOME)/go/bin/
 
diff --git a/bundle.Dockerfile b/bundle.Dockerfile
@@ -7,7 +7,7 @@ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=ibm-namespace-scope-operator
 LABEL operators.operatorframework.io.bundle.channels.v1=v4.0
 LABEL operators.operatorframework.io.bundle.channel.default.v1=v4.0
-LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.28.0+git
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.32.0
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v2
 
diff --git a/bundle/manifests/ibm-namespace-scope-operator.clusterserviceversion.yaml b/bundle/manifests/ibm-namespace-scope-operator.clusterserviceversion.yaml
@@ -23,11 +23,11 @@ metadata:
       ]
     capabilities: Seamless Upgrades
     containerImage: icr.io/cpopen/ibm-namespace-scope-operator:latest
-    createdAt: "2023-02-26T12:14:20Z"
+    createdAt: "2020-11-2T15:38:33Z"
     olm.skipRange: '<4.2.1'
-    operators.operatorframework.io/builder: operator-sdk-v1.24.0
-    operators.operatorframework.io/project_layout: go.kubebuilder.io/v2
     operators.openshift.io/infrastructure-features: '["disconnected"]'
+    operators.operatorframework.io/builder: operator-sdk-v1.32.0
+    operators.operatorframework.io/project_layout: go.kubebuilder.io/v2
     repository: https://github.com/IBM/ibm-namespace-scope-operator
     support: IBM
   labels:
@@ -93,8 +93,8 @@ spec:
                 app.kubernetes.io/instance: ibm-namespace-scope-operator
                 app.kubernetes.io/managed-by: ibm-namespace-scope-operator
                 app.kubernetes.io/name: ibm-namespace-scope-operator
-                productName: IBM_Cloud_Platform_Common_Services
                 name: ibm-namespace-scope-operator
+                productName: IBM_Cloud_Platform_Common_Services
             spec:
               affinity:
                 nodeAffinity:
@@ -142,9 +142,10 @@ spec:
       permissions:
       - rules:
         - apiGroups:
-          - '*'
+          - rbac.authorization.k8s.io
           resources:
-          - '*'
+          - rolebindings
+          - roles
           verbs:
           - create
           - delete
@@ -153,7 +154,40 @@ spec:
           - patch
           - update
           - watch
-          - deletecollection
+        - apiGroups:
+          - ""
+          resources:
+          - configmaps
+          - pods
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - operators.coreos.com
+          resources:
+          - clusterserviceversions
+          verbs:
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - operator.ibm.com
+          resources:
+          - namespacescopes
+          - namespacescopes/status
+          verbs:
+          - get
+          - list
+          - patch
+          - update
+          - watch
         serviceAccountName: ibm-namespace-scope-operator
     strategy: deployment
   installModes:
diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml
@@ -6,7 +6,7 @@ annotations:
   operators.operatorframework.io.bundle.package.v1: ibm-namespace-scope-operator
   operators.operatorframework.io.bundle.channels.v1: v4.0
   operators.operatorframework.io.bundle.channel.default.v1: v4.0
-  operators.operatorframework.io.metrics.builder: operator-sdk-v1.28.0+git
+  operators.operatorframework.io.metrics.builder: operator-sdk-v1.32.0
   operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
   operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v2
 
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -12,6 +12,7 @@ metadata:
     app.kubernetes.io/instance: "ibm-namespace-scope-operator"
     app.kubernetes.io/managed-by: "ibm-namespace-scope-operator"
     app.kubernetes.io/name: "ibm-namespace-scope-operator"
+    productName: IBM_Cloud_Platform_Common_Services
 spec:
   selector:
     matchLabels:
@@ -24,6 +25,7 @@ spec:
         app.kubernetes.io/instance: ibm-namespace-scope-operator
         app.kubernetes.io/managed-by: "ibm-namespace-scope-operator"
         app.kubernetes.io/name: "ibm-namespace-scope-operator"
+        productName: IBM_Cloud_Platform_Common_Services
       annotations:
         productName: "IBM Cloud Platform Common Services"
         productID: "068a62892a1e4db39641342e592daa25"
diff --git a/config/manifests/bases/ibm-namespace-scope-operator.clusterserviceversion.yaml b/config/manifests/bases/ibm-namespace-scope-operator.clusterserviceversion.yaml
@@ -6,9 +6,9 @@ metadata:
     capabilities: Seamless Upgrades
     containerImage: icr.io/cpopen/ibm-namespace-scope-operator:latest
     createdAt: "2020-11-2T15:38:33Z"
+    operators.openshift.io/infrastructure-features: '["disconnected"]'
     operators.operatorframework.io/builder: operator-sdk-v1.1.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v2
-    operators.openshift.io/infrastructure-features: '["disconnected"]'
     repository: https://github.com/IBM/ibm-namespace-scope-operator
     support: IBM
   labels:
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -3,19 +3,53 @@ kind: Role
 metadata:
   name: ibm-namespace-scope-operator
 rules:
-  - apiGroups:
-      - "*"
+  - verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+    apiGroups:
+      - rbac.authorization.k8s.io
     resources:
-      - "*"
-    verbs:
+      - rolebindings
+      - roles
+  - verbs:
       - create
       - delete
       - get
       - list
       - patch
       - update
       - watch
-      - deletecollection
+    apiGroups:
+      - ''
+    resources:
+      - configmaps
+      - pods
+  - verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+    apiGroups:
+      - operators.coreos.com
+    resources:
+      - clusterserviceversions
+  - verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+    apiGroups:
+      - operator.ibm.com
+    resources:
+      - namespacescopes
+      - namespacescopes/status
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
