limits runtime rbacs annotations to kcp-system

kyma-project · Nov 25, 2024 · 7a6a835 · 7a6a835
1 parent d67dde7
commit 7a6a835
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 24 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -4,21 +4,10 @@ kind: ClusterRole
 metadata:
   name: infrastructure-manager-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - update
-  - watch
 - apiGroups:
   - infrastructuremanager.kyma-project.io
   resources:
-  - gardenerclusters
+  - runtimes
   verbs:
   - create
   - delete
@@ -30,38 +19,51 @@ rules:
 - apiGroups:
   - infrastructuremanager.kyma-project.io
   resources:
-  - gardenerclusters/finalizers
+  - runtimes/finalizers
   verbs:
   - update
 - apiGroups:
   - infrastructuremanager.kyma-project.io
   resources:
-  - gardenerclusters/status
+  - runtimes/status
   verbs:
+  - get
+  - patch
   - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: infrastructure-manager-role
+  namespace: kcp-system
+rules:
 - apiGroups:
-  - infrastructuremanager.kyma-project.io
+  - ""
   resources:
-  - runtimes
+  - secrets
   verbs:
   - create
   - delete
   - get
   - list
-  - patch
   - update
   - watch
 - apiGroups:
   - infrastructuremanager.kyma-project.io
   resources:
-  - runtimes/finalizers
+  - gardenerclusters
   verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
   - update
+  - watch
 - apiGroups:
   - infrastructuremanager.kyma-project.io
   resources:
-  - runtimes/status
+  - gardenerclusters/finalizers
+  - gardenerclusters/status
   verbs:
-  - get
-  - patch
   - update
diff --git a/internal/controller/runtime/runtime_controller.go b/internal/controller/runtime/runtime_controller.go
@@ -41,9 +41,9 @@ type RuntimeReconciler struct {
 	EventRecorder record.EventRecorder
 }
 
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch,namespace=kcp-system
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update,namespace=kcp-system
 
 var requCounter = 0 // nolint:gochecknoglobals