Merge pull request #8608 from zalando-incubator/update-role-sync-controller-rbac

mikkeloscar · web-flow · commit bd8e8948ffea · 2024-12-10T13:10:55.000+01:00
add appropriate RBAC for the role-sync-controller
diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml
@@ -313,6 +313,8 @@ post_apply:
 - name: role-sync-controller
   kind: CronJob
   namespace: kube-system
+- name: role-sync-controller
+  kind: ClusterRole
 - name: role-sync-controller
   kind: ClusterRoleBinding
 - name: role-sync-controller
diff --git a/cluster/manifests/role-sync-controller/rbac.yaml b/cluster/manifests/role-sync-controller/rbac.yaml
@@ -1,5 +1,40 @@
 {{ if eq .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: role-sync-controller
+  labels:
+    application: kubernetes
+    component: role-sync-controller
+rules:
+  # Allow the controller to list namespaces
+  - apiGroups:
+    - ""
+    resources:
+    - "namespaces"
+    verbs:
+    - "list"
+  # Allow the controller to manage Roles and Rolebindings
+  - apiGroups:
+    - rbac.authorization.k8s.io
+    resources:
+    - roles
+    - rolebindings
+    verbs:
+    - "get"
+    - "create"
+    - "update"
+  # Allow the controller to manage roles based on reading Secrets
+  - apiGroups:
+    - ""
+    resources:
+    - secrets
+    verbs:
+    - "get"
+    - "list"
+    - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: role-sync-controller
@@ -9,7 +44,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: poweruser
+  name: role-sync-controller
 subjects:
 - kind: ServiceAccount
   name: role-sync-controller
diff --git a/test/e2e/authorization.go b/test/e2e/authorization.go
@@ -185,7 +185,9 @@ var _ = g.Describe("Authorization [RBAC] [Zalando]", func() {
 
 		g.It("should allow read access to Secrets in namespaces other than kube-system and visibility", func() {
 			tc.data.resources = []string{"secrets"}
-			tc.data.namespaces = []string{"default", "teapot"}
+			// The namespace must exist for the test case to pass, otherwise access
+			// remains undecided.
+			tc.data.namespaces = []string{"default"}
 			tc.data.verbs = readOperations
 			tc.run(context.TODO(), cs, true)
 			gomega.Expect(tc.output.passed).To(gomega.BeTrue(), tc.output.String())
