🚀 More permissions and webhook settings.

coderanger · coderanger · commit 2c2b21b706bd · 2020-11-17T02:44:48.000-08:00
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -6,6 +6,31 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  - deplyoments
+  - replicasets
+  - statfulsets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - batch
   resources:
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -1,12 +1,14 @@
 
 ---
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   creationTimestamp: null
   name: mutating-webhook-configuration
 webhooks:
-- clientConfig:
+- admissionReviewVersions:
+  - v1beta1
+  clientConfig:
     caBundle: Cg==
     service:
       name: webhook-service
@@ -24,3 +26,4 @@ webhooks:
     - UPDATE
     resources:
     - pods
+  sideEffects: None
diff --git a/controllers/migrator.go b/controllers/migrator.go
@@ -27,6 +27,9 @@ import (
 // +kubebuilder:rbac:groups=migrations.coderanger.net,resources=migrators,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=migrations.coderanger.net,resources=migrators/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch
+// +kubebuilder:rbac:groups=,resources=pods,verbs=get;list;watch
+// +kubebuilder:rbac:groups=apps,resources=replicasets;deplyoments;statfulsets;daemonsets,verbs=get;list;watch
+// +kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch
 
 func Migrator(mgr ctrl.Manager) error {
 	return cu.NewReconciler(mgr).
diff --git a/webhook/webhook.go b/webhook/webhook.go
@@ -37,7 +37,7 @@ import (
 const REQUIRE_MIGRATOR_ANNOTATION = "migrations.coderanger.net/required"
 const NOWAIT_MIGRATOR_ANNOTATION = "migrations.coderanger.net/no-wait"
 
-// +kubebuilder:webhook:path=/mutate-v1-pod,mutating=true,failurePolicy=fail,groups="",resources=pods,verbs=create;update,versions=v1,name=mpod.migrations.coderanger.net
+// +kubebuilder:webhook:path=/mutate-v1-pod,mutating=true,failurePolicy=fail,sideEffects=None,groups="",resources=pods,verbs=create;update,versions=v1,name=mpod.migrations.coderanger.net
 
 // initInjector injects migration initContainers into Pods
 type initInjector struct {
