From 8f325931b9a30edb0a893606925e613ed42de4fe Mon Sep 17 00:00:00 2001 From: Justin SB Date: Thu, 25 Aug 2022 08:29:43 -0400 Subject: [PATCH 1/2] WorkloadIdentityBinding: needs RBAC permissions to read namespaces We need to get the project-id annotation from the namespace. --- porch/controllers/config/rbac/role.yaml | 8 ++++++++ .../pkg/controllers/workloadidentitybinding/controller.go | 4 +++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/porch/controllers/config/rbac/role.yaml b/porch/controllers/config/rbac/role.yaml index 920baf25aa..278ce271f5 100644 --- a/porch/controllers/config/rbac/role.yaml +++ b/porch/controllers/config/rbac/role.yaml @@ -26,6 +26,14 @@ rules: verbs: - create - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch - apiGroups: - config.porch.kpt.dev resources: diff --git a/porch/controllers/workloadidentitybinding/pkg/controllers/workloadidentitybinding/controller.go b/porch/controllers/workloadidentitybinding/pkg/controllers/workloadidentitybinding/controller.go index 07f50f837e..29adb6c59c 100644 --- a/porch/controllers/workloadidentitybinding/pkg/controllers/workloadidentitybinding/controller.go +++ b/porch/controllers/workloadidentitybinding/pkg/controllers/workloadidentitybinding/controller.go @@ -44,6 +44,9 @@ type WorkloadIdentityBindingReconciler struct { //+kubebuilder:rbac:groups=config.porch.kpt.dev,resources=workloadidentitybindings/status,verbs=get;update;patch //+kubebuilder:rbac:groups=config.porch.kpt.dev,resources=workloadidentitybindings/finalizers,verbs=update +// Needs to read namespace to get project-id annotation +//+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch + // Reconcile implements the main kubernetes reconciliation loop. func (r *WorkloadIdentityBindingReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { var subject api.WorkloadIdentityBinding @@ -121,7 +124,6 @@ func updateStatus(subject *api.WorkloadIdentityBinding, results *applyset.ApplyR } func (r *WorkloadIdentityBindingReconciler) applyToClusterRef(ctx context.Context, subject *api.WorkloadIdentityBinding) (*applyset.ApplyResults, error) { - ns := &corev1.Namespace{} if err := r.Get(ctx, types.NamespacedName{Name: subject.GetNamespace()}, ns); err != nil { return nil, fmt.Errorf("error getting namespace %q: %w", subject.GetNamespace(), err) From 4693f7e6de4d100f18a026d8895f0dc07178e700 Mon Sep 17 00:00:00 2001 From: Justin SB Date: Thu, 25 Aug 2022 08:55:58 -0400 Subject: [PATCH 2/2] WorkloadIdentityBinding operator: add permissions to create IAMPolicyMembers --- porch/controllers/config/rbac/role.yaml | 12 ++++++++++++ .../workloadidentitybinding/controller.go | 3 +++ 2 files changed, 15 insertions(+) diff --git a/porch/controllers/config/rbac/role.yaml b/porch/controllers/config/rbac/role.yaml index 278ce271f5..bce7b19b3a 100644 --- a/porch/controllers/config/rbac/role.yaml +++ b/porch/controllers/config/rbac/role.yaml @@ -124,3 +124,15 @@ rules: - patch - update - watch +- apiGroups: + - iam.cnrm.cloud.google.com + resources: + - iampolicymembers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/porch/controllers/workloadidentitybinding/pkg/controllers/workloadidentitybinding/controller.go b/porch/controllers/workloadidentitybinding/pkg/controllers/workloadidentitybinding/controller.go index 29adb6c59c..0935d49e6c 100644 --- a/porch/controllers/workloadidentitybinding/pkg/controllers/workloadidentitybinding/controller.go +++ b/porch/controllers/workloadidentitybinding/pkg/controllers/workloadidentitybinding/controller.go @@ -47,6 +47,9 @@ type WorkloadIdentityBindingReconciler struct { // Needs to read namespace to get project-id annotation //+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch +// Creates iampolicymembers (using server-side-apply) +//+kubebuilder:rbac:groups=iam.cnrm.cloud.google.com,resources=iampolicymembers,verbs=get;list;watch;create;update;patch;delete + // Reconcile implements the main kubernetes reconciliation loop. func (r *WorkloadIdentityBindingReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { var subject api.WorkloadIdentityBinding