Update pgAdmin RBAC to match feature requirements

Adjust kubebuilder markers and regenerate RBAC for current pgAdmin feature. PGO-565
CrunchyData · Oct 16, 2023 · 400c101 · 400c101
1 parent b05eb54
commit 400c101
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 58 deletions.
diff --git a/config/rbac/cluster/role.yaml b/config/rbac/cluster/role.yaml
@@ -103,13 +103,10 @@ rules:
   - postgres-operator.crunchydata.com
   resources:
   - pgadmins
+  - pgupgrades
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - postgres-operator.crunchydata.com
@@ -123,29 +120,6 @@ rules:
   - postgres-operator.crunchydata.com
   resources:
   - pgadmins/status
-  verbs:
-  - get
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - postgres-operator.crunchydata.com
-  resources:
-  - pgpgadmins
-  verbs:
-  - list
-  - watch
-- apiGroups:
-  - postgres-operator.crunchydata.com
-  resources:
-  - pgupgrades
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - postgres-operator.crunchydata.com
-  resources:
   - pgupgrades/status
   - postgresclusters/status
   verbs:

diff --git a/config/rbac/namespace/role.yaml b/config/rbac/namespace/role.yaml
@@ -103,13 +103,10 @@ rules:
   - postgres-operator.crunchydata.com
   resources:
   - pgadmins
+  - pgupgrades
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - postgres-operator.crunchydata.com
@@ -123,29 +120,6 @@ rules:
   - postgres-operator.crunchydata.com
   resources:
   - pgadmins/status
-  verbs:
-  - get
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - postgres-operator.crunchydata.com
-  resources:
-  - pgpgadmins
-  verbs:
-  - list
-  - watch
-- apiGroups:
-  - postgres-operator.crunchydata.com
-  resources:
-  - pgupgrades
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - postgres-operator.crunchydata.com
-  resources:
   - pgupgrades/status
   - postgresclusters/status
   verbs:

diff --git a/internal/controller/standalone_pgadmin/controller.go b/internal/controller/standalone_pgadmin/controller.go
@@ -81,9 +81,8 @@ func (r *PGAdminReconciler) watchPostgresClusters() handler.Funcs {
 	}
 }
 
-//+kubebuilder:rbac:groups=postgres-operator.crunchydata.com,resources=pgadmins,verbs={get,list,watch,create,update,patch,delete}
-//+kubebuilder:rbac:groups=postgres-operator.crunchydata.com,resources=pgadmins/status,verbs={get,update,patch}
-//+kubebuilder:rbac:groups=postgres-operator.crunchydata.com,resources=pgadmins/finalizers,verbs={update}
+//+kubebuilder:rbac:groups="postgres-operator.crunchydata.com",resources="pgadmins",verbs={get}
+//+kubebuilder:rbac:groups="postgres-operator.crunchydata.com",resources="pgadmins/status",verbs={patch}
 
 // Reconcile which aims to move the current state of the pgAdmin closer to the
 // desired state described in a [v1beta1.PGAdmin] identified by request.

diff --git a/internal/controller/standalone_pgadmin/postgrescluster.go b/internal/controller/standalone_pgadmin/postgrescluster.go
@@ -24,7 +24,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-//+kubebuilder:rbac:groups="postgres-operator.crunchydata.com",resources="pgpgadmins",verbs={list}
+//+kubebuilder:rbac:groups="postgres-operator.crunchydata.com",resources="pgadmins",verbs={list}
 
 // findPGAdminsForPostgresCluster returns PGAdmins that target a given cluster.
 func (r *PGAdminReconciler) findPGAdminsForPostgresCluster(