Bug fixes for Pod Identity (#774)

* Bug fixes

* Apply suggestion from @sabrina-ngrok

* Remove role permissions for pods

Author: sabrina-ngrok

cmd/bindings-forwarder-manager.go

@@ -32,10 +32,12 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
 	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
@@ -113,6 +115,9 @@ func runController(_ context.Context, opts bindingsForwarderManagerOpts) error {
 			DefaultNamespaces: map[string]cache.Config{
 				opts.namespace: {},
 			},
+			ByObject: map[client.Object]cache.ByObject{
+				&corev1.Pod{}: {Namespaces: map[string]cache.Config{cache.AllNamespaces: {}}},
+			},
 		},
 		Metrics: server.Options{
 			BindAddress: opts.metricsAddr,

helm/ngrok-operator/templates/bindings-forwarder/rbac.yaml

@@ -48,6 +48,26 @@ rules:
   verbs:
   - create
   - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "ngrok-operator.fullname" . }}-bindings-forwarder-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $bindingForwarderRole }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "ngrok-operator.bindings.forwarder.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "ngrok-operator.fullname" . }}-bindings-forwarder
+rules:
 - apiGroups:
   - ""
   resources:
@@ -58,13 +78,13 @@ rules:
   - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
-  name: {{ include "ngrok-operator.fullname" . }}-bindings-forwarder-rolebinding
+  name: {{ include "ngrok-operator.fullname" . }}-bindings-forwarder-clusterrolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ $bindingForwarderRole }}
+  kind: ClusterRole
+  name: {{ include "ngrok-operator.fullname" . }}-bindings-forwarder
 subjects:
 - kind: ServiceAccount
   name: {{ template "ngrok-operator.bindings.forwarder.serviceAccountName" . }}