From 80e6251e384f03abb35487da3df3fee79d9fb8d1 Mon Sep 17 00:00:00 2001 From: Andrew Gouin Date: Wed, 18 Oct 2023 00:07:45 -0600 Subject: [PATCH] roles for manager --- config/manager/manager.yaml | 1 + config/rbac/role.yaml | 14 ++++++++++++++ controllers/cosmosfullnode_controller.go | 3 ++- internal/fullnode/rbac_builder.go | 22 +++++++++++++++++++--- 4 files changed, 36 insertions(+), 4 deletions(-) diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 1216d9a6..16811868 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -31,6 +31,7 @@ spec: containers: - command: - /manager + imagePullPolicy: Always args: - --leader-elect image: controller:latest diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 6254b8be..f77f269f 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -11,6 +11,7 @@ rules: - configmaps - persistentvolumeclaims - pods + - serviceaccounts - services verbs: - create @@ -144,6 +145,19 @@ rules: - get - patch - update +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - snapshot.storage.k8s.io resources: diff --git a/controllers/cosmosfullnode_controller.go b/controllers/cosmosfullnode_controller.go index ed26c51f..ce4678a2 100644 --- a/controllers/cosmosfullnode_controller.go +++ b/controllers/cosmosfullnode_controller.go @@ -91,7 +91,8 @@ var ( //+kubebuilder:rbac:groups=cosmos.strange.love,resources=cosmosfullnodes/status,verbs=get;update;patch //+kubebuilder:rbac:groups=cosmos.strange.love,resources=cosmosfullnodes/finalizers,verbs=update // Generate RBAC roles to watch and update resources. IMPORTANT!!!! All resource names must be lowercase or cluster role will not work. -//+kubebuilder:rbac:groups="",resources=pods;persistentvolumeclaims;services;configmaps,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups="",resources=pods;persistentvolumeclaims;services;serviceaccounts;configmaps,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=clusterroles;clusterrolebindings,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch //+kubebuilder:rbac:groups="",resources=events,verbs=create;update;patch diff --git a/internal/fullnode/rbac_builder.go b/internal/fullnode/rbac_builder.go index 24ea7bcb..61fc5466 100644 --- a/internal/fullnode/rbac_builder.go +++ b/internal/fullnode/rbac_builder.go @@ -3,6 +3,7 @@ package fullnode import ( cosmosv1 "github.com/strangelove-ventures/cosmos-operator/api/v1" "github.com/strangelove-ventures/cosmos-operator/internal/diff" + "github.com/strangelove-ventures/cosmos-operator/internal/kube" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -21,9 +22,10 @@ func clusterRoleName(crd *cosmosv1.CosmosFullNode) string { // Creates a single service account for the version check. func BuildServiceAccounts(crd *cosmosv1.CosmosFullNode) []diff.Resource[*corev1.ServiceAccount] { diffSa := make([]diff.Resource[*corev1.ServiceAccount], 1) - svc := corev1.ServiceAccount{ + sa := corev1.ServiceAccount{ TypeMeta: v1.TypeMeta{ - Kind: "ServiceAccount", + Kind: "ServiceAccount", + APIVersion: "v1", }, ObjectMeta: v1.ObjectMeta{ Name: serviceAccountName(crd), @@ -31,7 +33,9 @@ func BuildServiceAccounts(crd *cosmosv1.CosmosFullNode) []diff.Resource[*corev1. }, } - diffSa[0] = diff.Adapt(&svc, 0) + sa.Labels = defaultLabels(crd, kube.ComponentLabel, "vc") + + diffSa[0] = diff.Adapt(&sa, 0) return diffSa } @@ -42,6 +46,10 @@ func BuildServiceAccounts(crd *cosmosv1.CosmosFullNode) []diff.Resource[*corev1. func BuildClusterRoles(crd *cosmosv1.CosmosFullNode) []diff.Resource[*rbacv1.ClusterRole] { diffCr := make([]diff.Resource[*rbacv1.ClusterRole], 1) cr := rbacv1.ClusterRole{ + TypeMeta: v1.TypeMeta{ + Kind: "ClusterRole", + APIVersion: "rbac.authorization.k8s.io/v1", + }, ObjectMeta: v1.ObjectMeta{ Name: clusterRoleName(crd), Namespace: crd.Namespace, @@ -60,6 +68,8 @@ func BuildClusterRoles(crd *cosmosv1.CosmosFullNode) []diff.Resource[*rbacv1.Clu }, } + cr.Labels = defaultLabels(crd, kube.ComponentLabel, "vc") + diffCr[0] = diff.Adapt(&cr, 0) return diffCr @@ -71,6 +81,10 @@ func BuildClusterRoles(crd *cosmosv1.CosmosFullNode) []diff.Resource[*rbacv1.Clu func BuildClusterRoleBindings(crd *cosmosv1.CosmosFullNode) []diff.Resource[*rbacv1.ClusterRoleBinding] { diffCrb := make([]diff.Resource[*rbacv1.ClusterRoleBinding], 1) crb := rbacv1.ClusterRoleBinding{ + TypeMeta: v1.TypeMeta{ + Kind: "ClusterRoleBinding", + APIVersion: "rbac.authorization.k8s.io/v1", + }, ObjectMeta: v1.ObjectMeta{ Name: crd.Name + "-crb", Namespace: crd.Namespace, @@ -89,6 +103,8 @@ func BuildClusterRoleBindings(crd *cosmosv1.CosmosFullNode) []diff.Resource[*rba }, } + crb.Labels = defaultLabels(crd, kube.ComponentLabel, "vc") + diffCrb[0] = diff.Adapt(&crb, 0) return diffCrb