v2: correct and test controller RBAC

Prior to this commit the declared permissions for the RedpandaReconciler had
become out of date. This went unnoticed due to tests utilizing admin
permissions or the inflated permissions required for executing `rpk debug
bundle`.

This commit corrects the permission declaration of the RedpandaReconciler,
updates its tests to use the ClusterRole and Role generated by controller-gen,
and adds a test to statically assert the correctness of the permissions.

Author: chrisseto

operator/config/rbac/bases/operator/role.yaml

@@ -97,10 +97,10 @@ rules:
 - apiGroups:
   - cluster.redpanda.com
   resources:
-  - schemas
-  - topics
-  - users
+  - redpandas
   verbs:
+  - create
+  - delete
   - get
   - list
   - patch
@@ -109,6 +109,7 @@ rules:
 - apiGroups:
   - cluster.redpanda.com
   resources:
+  - redpandas/finalizers
   - schemas/finalizers
   - topics/finalizers
   - users/finalizers
@@ -117,13 +118,26 @@ rules:
 - apiGroups:
   - cluster.redpanda.com
   resources:
+  - redpandas/status
   - schemas/status
   - topics/status
   - users/status
   verbs:
   - get
   - patch
   - update
+- apiGroups:
+  - cluster.redpanda.com
+  resources:
+  - schemas
+  - topics
+  - users
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - networking.k8s.io
   resources:
@@ -155,6 +169,7 @@ rules:
   - clusterroles
   verbs:
   - create
+  - delete
   - get
   - list
   - patch
@@ -309,50 +324,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - cluster.redpanda.com
-  resources:
-  - redpandas
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - cluster.redpanda.com
-  resources:
-  - redpandas/finalizers
-  - schemas/finalizers
-  - topics/finalizers
-  - users/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - cluster.redpanda.com
-  resources:
-  - redpandas/status
-  - schemas/status
-  - topics/status
-  - users/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - cluster.redpanda.com
-  resources:
-  - schemas
-  - topics
-  - users
-  verbs:
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:
@@ -394,6 +365,7 @@ rules:
 - apiGroups:
   - monitoring.coreos.com
   resources:
+  - podmonitors
   - servicemonitors
   verbs:
   - create

operator/config/rbac/v2-manager-role/role.yaml

@@ -7,7 +7,9 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - nodes
+  - secrets
   verbs:
   - get
   - list
@@ -26,10 +28,10 @@ rules:
 - apiGroups:
   - cluster.redpanda.com
   resources:
-  - schemas
-  - topics
-  - users
+  - redpandas
   verbs:
+  - create
+  - delete
   - get
   - list
   - patch
@@ -38,6 +40,7 @@ rules:
 - apiGroups:
   - cluster.redpanda.com
   resources:
+  - redpandas/finalizers
   - schemas/finalizers
   - topics/finalizers
   - users/finalizers
@@ -46,13 +49,39 @@ rules:
 - apiGroups:
   - cluster.redpanda.com
   resources:
+  - redpandas/status
   - schemas/status
   - topics/status
   - users/status
   verbs:
   - get
   - patch
   - update
+- apiGroups:
+  - cluster.redpanda.com
+  resources:
+  - schemas
+  - topics
+  - users
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -63,15 +92,13 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - events
+  - configmaps
+  - pods
+  - secrets
+  - serviceaccounts
+  - services
   verbs:
   - create
-  - patch
-- apiGroups:
-  - ""
-  resources:
-  - persistentvolumeclaims
-  verbs:
   - delete
   - get
   - list
@@ -81,12 +108,15 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - pods
-  - secrets
-  - serviceaccounts
-  - services
+  - events
   verbs:
   - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  verbs:
   - delete
   - get
   - list
@@ -158,50 +188,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - cluster.redpanda.com
-  resources:
-  - redpandas
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - cluster.redpanda.com
-  resources:
-  - redpandas/finalizers
-  - schemas/finalizers
-  - topics/finalizers
-  - users/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - cluster.redpanda.com
-  resources:
-  - redpandas/status
-  - schemas/status
-  - topics/status
-  - users/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - cluster.redpanda.com
-  resources:
-  - schemas
-  - topics
-  - users
-  verbs:
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - helm.toolkit.fluxcd.io
   resources:
@@ -231,6 +217,7 @@ rules:
 - apiGroups:
   - monitoring.coreos.com
   resources:
+  - podmonitors
   - servicemonitors
   verbs:
   - create

operator/internal/controller/redpanda/managed_decommission_controller.go

@@ -46,7 +46,7 @@ const (
 
 var ErrZeroReplicas = errors.New("redpanda replicas is zero")
 
-// +kubebuilder:rbac:groups=cluster.redpanda.com,namespace=default,resources=redpandas,verbs=get;list;watch;
+// +kubebuilder:rbac:groups=cluster.redpanda.com,resources=redpandas,verbs=get;list;watch;
 // +kubebuilder:rbac:groups=core,namespace=default,resources=pods,verbs=update;patch;delete;get;list;watch;
 // +kubebuilder:rbac:groups=core,namespace=default,resources=pods/status,verbs=update;patch
 // +kubebuilder:rbac:groups=core,namespace=default,resources=persistentvolumeclaims,verbs=get;list;update;patch;delete;watch

operator/internal/controller/redpanda/redpanda_controller.go

@@ -104,27 +104,25 @@ type RedpandaReconciler struct {
 
 // any resource that Redpanda helm creates and flux controller needs to reconcile them
 // +kubebuilder:rbac:groups="",namespace=default,resources=pods,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,namespace=default,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,namespace=default,resources=roles,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,namespace=default,resources=roles;rolebindings,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=batch,namespace=default,resources=jobs,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,namespace=default,resources=secrets,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,namespace=default,resources=services,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,namespace=default,resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,namespace=default,resources=configmaps;secrets;services;serviceaccounts,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps,namespace=default,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete;
 // +kubebuilder:rbac:groups=policy,namespace=default,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps,namespace=default,resources=deployments,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=cert-manager.io,namespace=default,resources=certificates,verbs=get;create;update;patch;delete;list;watch
 // +kubebuilder:rbac:groups=cert-manager.io,namespace=default,resources=issuers,verbs=get;create;update;patch;delete;list;watch
-// +kubebuilder:rbac:groups="monitoring.coreos.com",namespace=default,resources=servicemonitors,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=networking.k8s.io,namespace=default,resources=ingresses,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups="monitoring.coreos.com",namespace=default,resources=podmonitors;servicemonitors,verbs=get;list;watch;create;update;patch;delete
 
 // Console chart
 // +kubebuilder:rbac:groups=autoscaling,namespace=default,resources=horizontalpodautoscalers,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=networking.k8s.io,namespace=default,resources=ingresses,verbs=get;list;watch;create;update;patch;delete
 
 // redpanda resources
-// +kubebuilder:rbac:groups=cluster.redpanda.com,namespace=default,resources=redpandas,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=cluster.redpanda.com,namespace=default,resources=redpandas/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=cluster.redpanda.com,namespace=default,resources=redpandas/finalizers,verbs=update
+// +kubebuilder:rbac:groups=cluster.redpanda.com,resources=redpandas,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=cluster.redpanda.com,resources=redpandas/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=cluster.redpanda.com,resources=redpandas/finalizers,verbs=update
 // +kubebuilder:rbac:groups=core,namespace=default,resources=events,verbs=create;patch
 
 // SetupWithManager sets up the controller with the Manager.