🐛 end users should not have permissions to edit */status

Mengqi Yu · Mengqi Yu · commit d360f0162644 · 2019-11-25T12:02:28.000-08:00
diff --git a/pkg/scaffold/v2/crd_editor_rbac.go b/pkg/scaffold/v2/crd_editor_rbac.go
@@ -50,7 +50,7 @@ func (g *CRDEditorRole) Validate() error {
 	return g.Resource.Validate()
 }
 
-const crdRoleEditorTemplate = `# permissions to do edit {{ .Resource.Resource }}.
+const crdRoleEditorTemplate = `# permissions for end users to edit {{ .Resource.Resource }}.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -74,6 +74,4 @@ rules:
   - {{ .Resource.Resource }}/status
   verbs:
   - get
-  - patch
-  - update
 `
diff --git a/pkg/scaffold/v2/crd_viewer_rbac.go b/pkg/scaffold/v2/crd_viewer_rbac.go
@@ -50,7 +50,7 @@ func (g *CRDViewerRole) Validate() error {
 	return g.Resource.Validate()
 }
 
-const crdRoleViewerTemplate = `# permissions to do viewer {{ .Resource.Resource }}.
+const crdRoleViewerTemplate = `# permissions for end users to view {{ .Resource.Resource }}.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
diff --git a/testdata/project-v2/config/rbac/admiral_editor_role.yaml b/testdata/project-v2/config/rbac/admiral_editor_role.yaml
@@ -1,4 +1,4 @@
-# permissions to do edit admirals.
+# permissions for end users to edit admirals.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -22,5 +22,3 @@ rules:
   - admirals/status
   verbs:
   - get
-  - patch
-  - update
diff --git a/testdata/project-v2/config/rbac/admiral_viewer_role.yaml b/testdata/project-v2/config/rbac/admiral_viewer_role.yaml
@@ -1,4 +1,4 @@
-# permissions to do viewer admirals.
+# permissions for end users to view admirals.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
diff --git a/testdata/project-v2/config/rbac/captain_editor_role.yaml b/testdata/project-v2/config/rbac/captain_editor_role.yaml
@@ -1,4 +1,4 @@
-# permissions to do edit captains.
+# permissions for end users to edit captains.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -22,5 +22,3 @@ rules:
   - captains/status
   verbs:
   - get
-  - patch
-  - update
diff --git a/testdata/project-v2/config/rbac/captain_viewer_role.yaml b/testdata/project-v2/config/rbac/captain_viewer_role.yaml
@@ -1,4 +1,4 @@
-# permissions to do viewer captains.
+# permissions for end users to view captains.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
diff --git a/testdata/project-v2/config/rbac/firstmate_editor_role.yaml b/testdata/project-v2/config/rbac/firstmate_editor_role.yaml
@@ -1,4 +1,4 @@
-# permissions to do edit firstmates.
+# permissions for end users to edit firstmates.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -22,5 +22,3 @@ rules:
   - firstmates/status
   verbs:
   - get
-  - patch
-  - update
diff --git a/testdata/project-v2/config/rbac/firstmate_viewer_role.yaml b/testdata/project-v2/config/rbac/firstmate_viewer_role.yaml
@@ -1,4 +1,4 @@
-# permissions to do viewer firstmates.
+# permissions for end users to view firstmates.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ func (g *CRDEditorRole) Validate() error {`
`50`	`50`	`return g.Resource.Validate()`
`51`	`51`	`}`
`52`	`52`
`53`		-const crdRoleEditorTemplate = `# permissions to do edit {{ .Resource.Resource }}.
	`53`	+const crdRoleEditorTemplate = `# permissions for end users to edit {{ .Resource.Resource }}.
`54`	`54`	`apiVersion: rbac.authorization.k8s.io/v1`
`55`	`55`	`kind: ClusterRole`
`56`	`56`	`metadata:`
`@@ -74,6 +74,4 @@ rules:`
`74`	`74`	`- {{ .Resource.Resource }}/status`
`75`	`75`	`verbs:`
`76`	`76`	`- get`
`77`		`- - patch`
`78`		`- - update`
`79`	`77`	`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ func (g *CRDViewerRole) Validate() error {`
`50`	`50`	`return g.Resource.Validate()`
`51`	`51`	`}`
`52`	`52`
`53`		-const crdRoleViewerTemplate = `# permissions to do viewer {{ .Resource.Resource }}.
	`53`	+const crdRoleViewerTemplate = `# permissions for end users to view {{ .Resource.Resource }}.
`54`	`54`	`apiVersion: rbac.authorization.k8s.io/v1`
`55`	`55`	`kind: ClusterRole`
`56`	`56`	`metadata:`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# permissions to do viewer admirals.`
	`1`	`+# permissions for end users to view admirals.`
`2`	`2`	`apiVersion: rbac.authorization.k8s.io/v1`
`3`	`3`	`kind: ClusterRole`
`4`	`4`	`metadata:`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# permissions to do viewer captains.`
	`1`	`+# permissions for end users to view captains.`
`2`	`2`	`apiVersion: rbac.authorization.k8s.io/v1`
`3`	`3`	`kind: ClusterRole`
`4`	`4`	`metadata:`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# permissions to do viewer firstmates.`
	`1`	`+# permissions for end users to view firstmates.`
`2`	`2`	`apiVersion: rbac.authorization.k8s.io/v1`
`3`	`3`	`kind: ClusterRole`
`4`	`4`	`metadata:`