Fix controllers RBAC permissions (#54)

vanekjar · web-flow · commit 45bc9e227401 · 2021-10-26T14:32:19.000-07:00
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -1,12 +1,12 @@
 # Adds namespace to all resources.
-namespace: migration-system
+namespace: cloud-map-mcs-system
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
-namePrefix: migration-
+namePrefix: cloud-map-mcs-
 
 # Labels to add to all resources and selectors.
 #commonLabels:
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -7,52 +7,56 @@ metadata:
   name: manager-role
 rules:
 - apiGroups:
-  - multicluster.x-k8s.io
+  - ""
   resources:
-  - serviceexports
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
   verbs:
+  - create
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
-  - multicluster.x-k8s.io
+  - discovery.k8s.io
   resources:
-  - serviceexports/finalizers
+  - endpointslices
   verbs:
+  - create
   - get
-  - update
+  - list
+  - watch
 - apiGroups:
   - multicluster.x-k8s.io
   resources:
-  - serviceimports
+  - serviceexports
   verbs:
-  - create
   - get
   - list
   - patch
   - update
   - watch
 - apiGroups:
-  - ""
+  - multicluster.x-k8s.io
   resources:
-  - namespaces
-  - services
-  - endpoints
+  - serviceexports/finalizers
   verbs:
   - get
-  - list
-  - watch
-  - create
   - update
 - apiGroups:
-  - discovery.k8s.io
+  - multicluster.x-k8s.io
   resources:
-  - endpointslices
+  - serviceimports
   verbs:
-  - list
-  - watch
-  - get
   - create
+  - delete
+  - get
+  - list
+  - patch
   - update
+  - watch
diff --git a/pkg/controllers/cloudmap_controller.go b/pkg/controllers/cloudmap_controller.go
@@ -34,7 +34,10 @@ type CloudMapReconciler struct {
 	logr.Logger
 }
 
-// +kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceimports,verbs=get;list;update;patch
+// +kubebuilder:rbac:groups="",resources=namespaces,verbs=list;watch
+// +kubebuilder:rbac:groups="",resources=services,verbs=create;get;list;watch
+// +kubebuilder:rbac:groups="discovery.k8s.io",resources=endpointslices,verbs=list;get;create;watch
+// +kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceimports,verbs=create;get;list;watch;update;patch;delete
 
 // Start implements manager.Runnable
 func (r *CloudMapReconciler) Start(ctx context.Context) error {
diff --git a/pkg/controllers/serviceexport_controller.go b/pkg/controllers/serviceexport_controller.go
@@ -47,6 +47,8 @@ type ServiceExportReconciler struct {
 	Cloudmap cloudmap.ServiceDiscoveryClient
 }
 
+// +kubebuilder:rbac:groups="",resources=services,verbs=get
+// +kubebuilder:rbac:groups="discovery.k8s.io",resources=endpointslices,verbs=list;watch;create
 // +kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceexports,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceexports/finalizers,verbs=get;update
 

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,8 @@ type ServiceExportReconciler struct {`
`47`	`47`	`Cloudmap cloudmap.ServiceDiscoveryClient`
`48`	`48`	`}`
`49`	`49`
	`50`	`+// +kubebuilder:rbac:groups="",resources=services,verbs=get`
	`51`	`+// +kubebuilder:rbac:groups="discovery.k8s.io",resources=endpointslices,verbs=list;watch;create`
`50`	`52`	`// +kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceexports,verbs=get;list;watch;update;patch`
`51`	`53`	`// +kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceexports/finalizers,verbs=get;update`
`52`	`54`