diff --git a/Makefile b/Makefile index f2d622f1..863ecc20 100644 --- a/Makefile +++ b/Makefile @@ -156,7 +156,7 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen ENVTEST ?= $(LOCALBIN)/setup-envtest ## Tool Versions -KUSTOMIZE_VERSION ?= v4.5.5 +KUSTOMIZE_VERSION ?= v5.5.0 CONTROLLER_TOOLS_VERSION ?= v0.16.5 .PHONY: kustomize @@ -166,7 +166,7 @@ $(KUSTOMIZE): $(LOCALBIN) echo "$(LOCALBIN)/kustomize version is not expected $(KUSTOMIZE_VERSION). Removing it before installing."; \ rm -rf $(LOCALBIN)/kustomize; \ fi - test -s $(LOCALBIN)/kustomize || GOBIN=$(LOCALBIN) GO111MODULE=on go install sigs.k8s.io/kustomize/kustomize/v4@$(KUSTOMIZE_VERSION) + test -s $(LOCALBIN)/kustomize || GOBIN=$(LOCALBIN) GO111MODULE=on go install sigs.k8s.io/kustomize/kustomize/v5@$(KUSTOMIZE_VERSION) .PHONY: controller-gen controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. If wrong version is installed, it will be overwritten. diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index e8c654a5..de3c2b20 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -1,8 +1,9 @@ --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: infrastructure-manager-role + namespace: kcp-system rules: - apiGroups: - "" @@ -34,13 +35,22 @@ rules: - gardenerclusters/finalizers - gardenerclusters/status - runtimes/finalizers + - runtimes/status verbs: + - create + - delete + - get + - list + - patch - update - apiGroups: - infrastructuremanager.kyma-project.io resources: - - runtimes/status + - runtimes verbs: + - create - get + - list - patch - update + - watch diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 60f28ad3..5b3b05c4 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -1,17 +1,18 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: labels: - app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/name: rolebinding app.kubernetes.io/instance: infrastructure-manager-rolebinding app.kubernetes.io/component: rbac app.kubernetes.io/created-by: infrastructure-manager app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: infrastructure-manager-rolebinding + namespace: kcp-system roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role name: infrastructure-manager-role subjects: - kind: ServiceAccount diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 5c3330c2..3ddd25a9 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -9,4 +9,4 @@ metadata: app.kubernetes.io/part-of: infrastructure-manager app.kubernetes.io/managed-by: kustomize name: infrastructure-manager - namespace: system + namespace: kcp-system diff --git a/internal/controller/kubeconfig/gardener_cluster_controller.go b/internal/controller/kubeconfig/gardener_cluster_controller.go index 67aa9f5b..c3bf14d8 100644 --- a/internal/controller/kubeconfig/gardener_cluster_controller.go +++ b/internal/controller/kubeconfig/gardener_cluster_controller.go @@ -79,10 +79,10 @@ type KubeconfigProvider interface { Fetch(ctx context.Context, shootName string) (string, error) } -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system +//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=get;list;delete;create;update;patch,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=get;list;delete;create;update;patch,namespace=kcp-system // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/internal/controller/runtime/runtime_controller.go b/internal/controller/runtime/runtime_controller.go index 2967b594..6ec81603 100644 --- a/internal/controller/runtime/runtime_controller.go +++ b/internal/controller/runtime/runtime_controller.go @@ -45,9 +45,9 @@ type RuntimeReconciler struct { RequestID atomic.Uint64 } -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;list;delete;create;update;patch,namespace=kcp-system +//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=get;list;delete;create;update;patch,namespace=kcp-system func (r *RuntimeReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) { r.Log.Info(request.String())