Fix the CRD read permissions on hosted config-policy-controllers

mprahl · mprahl · commit 1eb607e3f1bb · 2023-01-26T14:06:18.000-05:00
This accidentally used a Role instead of a ClusterRole. The ClusterRole will be the same for all hosted clusters but the ClusterRoleBinding is unique per hosted cluster since there's no way for ManifestWork to merge the subjects array. Relates: https://issues.redhat.com/browse/ACM-2923 Signed-off-by: mprahl <mprahl@users.noreply.github.com>
diff --git a/pkg/addon/configpolicy/manifests/managedclusterchart/templates/cluster_role.yaml b/pkg/addon/configpolicy/manifests/managedclusterchart/templates/cluster_role.yaml
@@ -7,7 +7,6 @@ kind: Role
 kind: ClusterRole
 {{- end }}
 metadata:
-  creationTimestamp: null
   name: {{ include "controller.rolename" . }}
   {{- if eq .Values.installMode "Hosted" }}
   namespace: {{ .Release.Namespace }}
@@ -78,16 +77,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  resourceNames:
-  - configurationpolicies.policy.open-cluster-management.io
-  verbs:
-  - get
-  - list
-  - watch
 {{- else }}
 - apiGroups:
   - '*'
diff --git a/pkg/addon/configpolicy/manifests/managedclusterchart/templates/cluster_role_binding.yaml b/pkg/addon/configpolicy/manifests/managedclusterchart/templates/cluster_role_binding.yaml
@@ -7,7 +7,6 @@ kind: RoleBinding
 kind: ClusterRoleBinding
 {{- end }}
 metadata:
-  creationTimestamp: null
   name: {{ include "controller.rolename" . }}
   {{- if eq .Values.installMode "Hosted" }}
   namespace: {{ .Release.Namespace }}
diff --git a/pkg/addon/configpolicy/manifests/managedclusterchart/templates/cluster_role_binding_crd_reader.yaml b/pkg/addon/configpolicy/manifests/managedclusterchart/templates/cluster_role_binding_crd_reader.yaml
@@ -0,0 +1,23 @@
+# Copyright Contributors to the Open Cluster Management project
+
+{{- if eq .Values.installMode "Hosted" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ocm:{{ .Release.Namespace }}:{{ include "controller.fullname" . }}
+  labels:
+    app: {{ include "controller.fullname" . }}
+    chart: {{ include "controller.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    addon.open-cluster-management.io/hosted-manifest-location: hosting
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ocm:{{ include "controller.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/pkg/addon/configpolicy/manifests/managedclusterchart/templates/cluster_role_crd_reader.yaml b/pkg/addon/configpolicy/manifests/managedclusterchart/templates/cluster_role_crd_reader.yaml
@@ -0,0 +1,26 @@
+# Copyright Contributors to the Open Cluster Management project
+
+{{- if eq .Values.installMode "Hosted" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ocm:{{ include "controller.fullname" . }}
+  labels:
+    app: {{ include "controller.fullname" . }}
+    chart: {{ include "controller.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    addon.open-cluster-management.io/hosted-manifest-location: hosting
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  resourceNames:
+  - configurationpolicies.policy.open-cluster-management.io
+  verbs:
+  - get
+  - list
+  - watch
+{{- end }}
