diff --git a/pkg/manifests/fixtures/nginx/full.json b/pkg/manifests/fixtures/nginx/full.json index 19fc316c..d3feef60 100644 --- a/pkg/manifests/fixtures/nginx/full.json +++ b/pkg/manifests/fixtures/nginx/full.json @@ -66,31 +66,55 @@ "rules": [ { "verbs": [ - "get", - "watch", - "list" + "list", + "watch" ], "apiGroups": [ "" ], "resources": [ + "configmaps", "endpoints", + "nodes", "pods", - "services", "secrets", - "configmaps" + "namespaces" + ] + }, + { + "verbs": [ + "list", + "watch" + ], + "apiGroups": [ + "coordination.k8s.io" + ], + "resources": [ + "leases" ] }, { "verbs": [ - "*" + "get" ], "apiGroups": [ "" ], "resources": [ - "configmaps", - "events" + "nodes" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "services" ] }, { @@ -108,7 +132,19 @@ }, { "verbs": [ - "*" + "create", + "patch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "events" + ] + }, + { + "verbs": [ + "update" ], "apiGroups": [ "networking.k8s.io" @@ -119,9 +155,9 @@ }, { "verbs": [ + "get", "list", - "watch", - "get" + "watch" ], "apiGroups": [ "networking.k8s.io" @@ -132,19 +168,180 @@ }, { "verbs": [ + "list", "watch", - "list" + "get" + ], + "apiGroups": [ + "discovery.k8s.io" + ], + "resources": [ + "endpointslices" + ] + } + ] + }, + { + "kind": "ClusterRoleBinding", + "apiVersion": "rbac.authorization.k8s.io/v1", + "metadata": { + "name": "nginx", + "creationTimestamp": null, + "labels": { + "app.kubernetes.io/component": "ingress-controller", + "app.kubernetes.io/managed-by": "aks-app-routing-operator", + "app.kubernetes.io/name": "nginx" + }, + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "name": "test-operator-deploy", + "uid": "test-operator-deploy-uid" + } + ] + }, + "subjects": [ + { + "kind": "ServiceAccount", + "name": "nginx", + "namespace": "test-namespace" + } + ], + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "nginx" + } + }, + { + "kind": "Role", + "apiVersion": "rbac.authorization.k8s.io/v1", + "metadata": { + "name": "nginx", + "namespace": "test-namespace", + "creationTimestamp": null, + "labels": { + "app.kubernetes.io/component": "ingress-controller", + "app.kubernetes.io/managed-by": "aks-app-routing-operator", + "app.kubernetes.io/name": "nginx" + }, + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "name": "test-operator-deploy", + "uid": "test-operator-deploy-uid" + } + ] + }, + "rules": [ + { + "verbs": [ + "get" ], "apiGroups": [ "" ], "resources": [ - "nodes" + "namespaces" + ] + }, + { + "verbs": [ + "update" + ], + "apiGroups": [ + "" + ], + "resources": [ + "configmaps" ] }, { "verbs": [ - "*" + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "configmaps", + "pods", + "secrets", + "endpoints" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "services" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingresses" + ] + }, + { + "verbs": [ + "update" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingresses/status" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingressclasses" + ] + }, + { + "verbs": [ + "get", + "update" + ], + "apiGroups": [ + "coordination.k8s.io" + ], + "resources": [ + "leases" + ], + "resourceNames": [ + "nginx" + ] + }, + { + "verbs": [ + "create" ], "apiGroups": [ "coordination.k8s.io" @@ -152,14 +349,40 @@ "resources": [ "leases" ] + }, + { + "verbs": [ + "create", + "patch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "events" + ] + }, + { + "verbs": [ + "list", + "watch", + "get" + ], + "apiGroups": [ + "discovery.k8s.io" + ], + "resources": [ + "endpointslices" + ] } ] }, { - "kind": "ClusterRoleBinding", + "kind": "RoleBinding", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "nginx", + "namespace": "test-namespace", "creationTimestamp": null, "labels": { "app.kubernetes.io/component": "ingress-controller", @@ -184,7 +407,7 @@ ], "roleRef": { "apiGroup": "rbac.authorization.k8s.io", - "kind": "ClusterRole", + "kind": "Role", "name": "nginx" } }, @@ -286,7 +509,7 @@ "containers": [ { "name": "controller", - "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.3.0", + "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.1", "args": [ "/nginx-ingress-controller", "--ingress-class=webapprouting.kubernetes.azure.com", diff --git a/pkg/manifests/fixtures/nginx/internal.json b/pkg/manifests/fixtures/nginx/internal.json index de24cce6..d918e8db 100644 --- a/pkg/manifests/fixtures/nginx/internal.json +++ b/pkg/manifests/fixtures/nginx/internal.json @@ -66,31 +66,55 @@ "rules": [ { "verbs": [ - "get", - "watch", - "list" + "list", + "watch" ], "apiGroups": [ "" ], "resources": [ + "configmaps", "endpoints", + "nodes", "pods", - "services", "secrets", - "configmaps" + "namespaces" + ] + }, + { + "verbs": [ + "list", + "watch" + ], + "apiGroups": [ + "coordination.k8s.io" + ], + "resources": [ + "leases" ] }, { "verbs": [ - "*" + "get" ], "apiGroups": [ "" ], "resources": [ - "configmaps", - "events" + "nodes" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "services" ] }, { @@ -108,7 +132,19 @@ }, { "verbs": [ - "*" + "create", + "patch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "events" + ] + }, + { + "verbs": [ + "update" ], "apiGroups": [ "networking.k8s.io" @@ -119,9 +155,9 @@ }, { "verbs": [ + "get", "list", - "watch", - "get" + "watch" ], "apiGroups": [ "networking.k8s.io" @@ -132,19 +168,180 @@ }, { "verbs": [ + "list", "watch", - "list" + "get" + ], + "apiGroups": [ + "discovery.k8s.io" + ], + "resources": [ + "endpointslices" + ] + } + ] + }, + { + "kind": "ClusterRoleBinding", + "apiVersion": "rbac.authorization.k8s.io/v1", + "metadata": { + "name": "nginx", + "creationTimestamp": null, + "labels": { + "app.kubernetes.io/component": "ingress-controller", + "app.kubernetes.io/managed-by": "aks-app-routing-operator", + "app.kubernetes.io/name": "nginx" + }, + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "name": "test-operator-deploy", + "uid": "test-operator-deploy-uid" + } + ] + }, + "subjects": [ + { + "kind": "ServiceAccount", + "name": "nginx", + "namespace": "test-namespace" + } + ], + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "nginx" + } + }, + { + "kind": "Role", + "apiVersion": "rbac.authorization.k8s.io/v1", + "metadata": { + "name": "nginx", + "namespace": "test-namespace", + "creationTimestamp": null, + "labels": { + "app.kubernetes.io/component": "ingress-controller", + "app.kubernetes.io/managed-by": "aks-app-routing-operator", + "app.kubernetes.io/name": "nginx" + }, + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "name": "test-operator-deploy", + "uid": "test-operator-deploy-uid" + } + ] + }, + "rules": [ + { + "verbs": [ + "get" ], "apiGroups": [ "" ], "resources": [ - "nodes" + "namespaces" + ] + }, + { + "verbs": [ + "update" + ], + "apiGroups": [ + "" + ], + "resources": [ + "configmaps" ] }, { "verbs": [ - "*" + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "configmaps", + "pods", + "secrets", + "endpoints" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "services" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingresses" + ] + }, + { + "verbs": [ + "update" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingresses/status" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingressclasses" + ] + }, + { + "verbs": [ + "get", + "update" + ], + "apiGroups": [ + "coordination.k8s.io" + ], + "resources": [ + "leases" + ], + "resourceNames": [ + "nginx" + ] + }, + { + "verbs": [ + "create" ], "apiGroups": [ "coordination.k8s.io" @@ -152,14 +349,40 @@ "resources": [ "leases" ] + }, + { + "verbs": [ + "create", + "patch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "events" + ] + }, + { + "verbs": [ + "list", + "watch", + "get" + ], + "apiGroups": [ + "discovery.k8s.io" + ], + "resources": [ + "endpointslices" + ] } ] }, { - "kind": "ClusterRoleBinding", + "kind": "RoleBinding", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "nginx", + "namespace": "test-namespace", "creationTimestamp": null, "labels": { "app.kubernetes.io/component": "ingress-controller", @@ -184,7 +407,7 @@ ], "roleRef": { "apiGroup": "rbac.authorization.k8s.io", - "kind": "ClusterRole", + "kind": "Role", "name": "nginx" } }, @@ -286,7 +509,7 @@ "containers": [ { "name": "controller", - "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.3.0", + "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.1", "args": [ "/nginx-ingress-controller", "--ingress-class=nginx-private", diff --git a/pkg/manifests/fixtures/nginx/kube-system.json b/pkg/manifests/fixtures/nginx/kube-system.json index aa77a80e..4458e8fa 100644 --- a/pkg/manifests/fixtures/nginx/kube-system.json +++ b/pkg/manifests/fixtures/nginx/kube-system.json @@ -28,31 +28,55 @@ "rules": [ { "verbs": [ - "get", - "watch", - "list" + "list", + "watch" ], "apiGroups": [ "" ], "resources": [ + "configmaps", "endpoints", + "nodes", "pods", - "services", "secrets", - "configmaps" + "namespaces" + ] + }, + { + "verbs": [ + "list", + "watch" + ], + "apiGroups": [ + "coordination.k8s.io" + ], + "resources": [ + "leases" ] }, { "verbs": [ - "*" + "get" ], "apiGroups": [ "" ], "resources": [ - "configmaps", - "events" + "nodes" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "services" ] }, { @@ -70,7 +94,19 @@ }, { "verbs": [ - "*" + "create", + "patch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "events" + ] + }, + { + "verbs": [ + "update" ], "apiGroups": [ "networking.k8s.io" @@ -81,9 +117,9 @@ }, { "verbs": [ + "get", "list", - "watch", - "get" + "watch" ], "apiGroups": [ "networking.k8s.io" @@ -94,19 +130,164 @@ }, { "verbs": [ + "list", "watch", - "list" + "get" + ], + "apiGroups": [ + "discovery.k8s.io" + ], + "resources": [ + "endpointslices" + ] + } + ] + }, + { + "kind": "ClusterRoleBinding", + "apiVersion": "rbac.authorization.k8s.io/v1", + "metadata": { + "name": "nginx", + "creationTimestamp": null, + "labels": { + "app.kubernetes.io/component": "ingress-controller", + "app.kubernetes.io/managed-by": "aks-app-routing-operator", + "app.kubernetes.io/name": "nginx" + } + }, + "subjects": [ + { + "kind": "ServiceAccount", + "name": "nginx", + "namespace": "kube-system" + } + ], + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "nginx" + } + }, + { + "kind": "Role", + "apiVersion": "rbac.authorization.k8s.io/v1", + "metadata": { + "name": "nginx", + "namespace": "kube-system", + "creationTimestamp": null, + "labels": { + "app.kubernetes.io/component": "ingress-controller", + "app.kubernetes.io/managed-by": "aks-app-routing-operator", + "app.kubernetes.io/name": "nginx" + } + }, + "rules": [ + { + "verbs": [ + "get" ], "apiGroups": [ "" ], "resources": [ - "nodes" + "namespaces" ] }, { "verbs": [ - "*" + "update" + ], + "apiGroups": [ + "" + ], + "resources": [ + "configmaps" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "configmaps", + "pods", + "secrets", + "endpoints" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "services" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingresses" + ] + }, + { + "verbs": [ + "update" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingresses/status" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingressclasses" + ] + }, + { + "verbs": [ + "get", + "update" + ], + "apiGroups": [ + "coordination.k8s.io" + ], + "resources": [ + "leases" + ], + "resourceNames": [ + "nginx" + ] + }, + { + "verbs": [ + "create" ], "apiGroups": [ "coordination.k8s.io" @@ -114,14 +295,40 @@ "resources": [ "leases" ] + }, + { + "verbs": [ + "create", + "patch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "events" + ] + }, + { + "verbs": [ + "list", + "watch", + "get" + ], + "apiGroups": [ + "discovery.k8s.io" + ], + "resources": [ + "endpointslices" + ] } ] }, { - "kind": "ClusterRoleBinding", + "kind": "RoleBinding", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "nginx", + "namespace": "kube-system", "creationTimestamp": null, "labels": { "app.kubernetes.io/component": "ingress-controller", @@ -138,7 +345,7 @@ ], "roleRef": { "apiGroup": "rbac.authorization.k8s.io", - "kind": "ClusterRole", + "kind": "Role", "name": "nginx" } }, @@ -224,7 +431,7 @@ "containers": [ { "name": "controller", - "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.3.0", + "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.1", "args": [ "/nginx-ingress-controller", "--ingress-class=webapprouting.kubernetes.azure.com", diff --git a/pkg/manifests/fixtures/nginx/no-ownership.json b/pkg/manifests/fixtures/nginx/no-ownership.json index 0f515777..15f19ade 100644 --- a/pkg/manifests/fixtures/nginx/no-ownership.json +++ b/pkg/manifests/fixtures/nginx/no-ownership.json @@ -42,31 +42,55 @@ "rules": [ { "verbs": [ - "get", - "watch", - "list" + "list", + "watch" ], "apiGroups": [ "" ], "resources": [ + "configmaps", "endpoints", + "nodes", "pods", - "services", "secrets", - "configmaps" + "namespaces" + ] + }, + { + "verbs": [ + "list", + "watch" + ], + "apiGroups": [ + "coordination.k8s.io" + ], + "resources": [ + "leases" ] }, { "verbs": [ - "*" + "get" ], "apiGroups": [ "" ], "resources": [ - "configmaps", - "events" + "nodes" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "services" ] }, { @@ -84,7 +108,19 @@ }, { "verbs": [ - "*" + "create", + "patch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "events" + ] + }, + { + "verbs": [ + "update" ], "apiGroups": [ "networking.k8s.io" @@ -95,9 +131,9 @@ }, { "verbs": [ + "get", "list", - "watch", - "get" + "watch" ], "apiGroups": [ "networking.k8s.io" @@ -108,19 +144,164 @@ }, { "verbs": [ + "list", "watch", - "list" + "get" + ], + "apiGroups": [ + "discovery.k8s.io" + ], + "resources": [ + "endpointslices" + ] + } + ] + }, + { + "kind": "ClusterRoleBinding", + "apiVersion": "rbac.authorization.k8s.io/v1", + "metadata": { + "name": "nginx", + "creationTimestamp": null, + "labels": { + "app.kubernetes.io/component": "ingress-controller", + "app.kubernetes.io/managed-by": "aks-app-routing-operator", + "app.kubernetes.io/name": "nginx" + } + }, + "subjects": [ + { + "kind": "ServiceAccount", + "name": "nginx", + "namespace": "test-namespace" + } + ], + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "nginx" + } + }, + { + "kind": "Role", + "apiVersion": "rbac.authorization.k8s.io/v1", + "metadata": { + "name": "nginx", + "namespace": "test-namespace", + "creationTimestamp": null, + "labels": { + "app.kubernetes.io/component": "ingress-controller", + "app.kubernetes.io/managed-by": "aks-app-routing-operator", + "app.kubernetes.io/name": "nginx" + } + }, + "rules": [ + { + "verbs": [ + "get" ], "apiGroups": [ "" ], "resources": [ - "nodes" + "namespaces" ] }, { "verbs": [ - "*" + "update" + ], + "apiGroups": [ + "" + ], + "resources": [ + "configmaps" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "configmaps", + "pods", + "secrets", + "endpoints" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "services" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingresses" + ] + }, + { + "verbs": [ + "update" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingresses/status" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingressclasses" + ] + }, + { + "verbs": [ + "get", + "update" + ], + "apiGroups": [ + "coordination.k8s.io" + ], + "resources": [ + "leases" + ], + "resourceNames": [ + "nginx" + ] + }, + { + "verbs": [ + "create" ], "apiGroups": [ "coordination.k8s.io" @@ -128,14 +309,40 @@ "resources": [ "leases" ] + }, + { + "verbs": [ + "create", + "patch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "events" + ] + }, + { + "verbs": [ + "list", + "watch", + "get" + ], + "apiGroups": [ + "discovery.k8s.io" + ], + "resources": [ + "endpointslices" + ] } ] }, { - "kind": "ClusterRoleBinding", + "kind": "RoleBinding", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "nginx", + "namespace": "test-namespace", "creationTimestamp": null, "labels": { "app.kubernetes.io/component": "ingress-controller", @@ -152,7 +359,7 @@ ], "roleRef": { "apiGroup": "rbac.authorization.k8s.io", - "kind": "ClusterRole", + "kind": "Role", "name": "nginx" } }, @@ -238,7 +445,7 @@ "containers": [ { "name": "controller", - "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.3.0", + "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.1", "args": [ "/nginx-ingress-controller", "--ingress-class=webapprouting.kubernetes.azure.com", diff --git a/pkg/manifests/fixtures/nginx/optional-features-disabled.json b/pkg/manifests/fixtures/nginx/optional-features-disabled.json index 23bcc6e2..8132d4f7 100644 --- a/pkg/manifests/fixtures/nginx/optional-features-disabled.json +++ b/pkg/manifests/fixtures/nginx/optional-features-disabled.json @@ -42,31 +42,55 @@ "rules": [ { "verbs": [ - "get", - "watch", - "list" + "list", + "watch" ], "apiGroups": [ "" ], "resources": [ + "configmaps", "endpoints", + "nodes", "pods", - "services", "secrets", - "configmaps" + "namespaces" + ] + }, + { + "verbs": [ + "list", + "watch" + ], + "apiGroups": [ + "coordination.k8s.io" + ], + "resources": [ + "leases" ] }, { "verbs": [ - "*" + "get" ], "apiGroups": [ "" ], "resources": [ - "configmaps", - "events" + "nodes" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "services" ] }, { @@ -84,7 +108,19 @@ }, { "verbs": [ - "*" + "create", + "patch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "events" + ] + }, + { + "verbs": [ + "update" ], "apiGroups": [ "networking.k8s.io" @@ -95,9 +131,9 @@ }, { "verbs": [ + "get", "list", - "watch", - "get" + "watch" ], "apiGroups": [ "networking.k8s.io" @@ -108,19 +144,164 @@ }, { "verbs": [ + "list", "watch", - "list" + "get" + ], + "apiGroups": [ + "discovery.k8s.io" + ], + "resources": [ + "endpointslices" + ] + } + ] + }, + { + "kind": "ClusterRoleBinding", + "apiVersion": "rbac.authorization.k8s.io/v1", + "metadata": { + "name": "nginx", + "creationTimestamp": null, + "labels": { + "app.kubernetes.io/component": "ingress-controller", + "app.kubernetes.io/managed-by": "aks-app-routing-operator", + "app.kubernetes.io/name": "nginx" + } + }, + "subjects": [ + { + "kind": "ServiceAccount", + "name": "nginx", + "namespace": "test-namespace" + } + ], + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "nginx" + } + }, + { + "kind": "Role", + "apiVersion": "rbac.authorization.k8s.io/v1", + "metadata": { + "name": "nginx", + "namespace": "test-namespace", + "creationTimestamp": null, + "labels": { + "app.kubernetes.io/component": "ingress-controller", + "app.kubernetes.io/managed-by": "aks-app-routing-operator", + "app.kubernetes.io/name": "nginx" + } + }, + "rules": [ + { + "verbs": [ + "get" ], "apiGroups": [ "" ], "resources": [ - "nodes" + "namespaces" ] }, { "verbs": [ - "*" + "update" + ], + "apiGroups": [ + "" + ], + "resources": [ + "configmaps" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "configmaps", + "pods", + "secrets", + "endpoints" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "services" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingresses" + ] + }, + { + "verbs": [ + "update" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingresses/status" + ] + }, + { + "verbs": [ + "get", + "list", + "watch" + ], + "apiGroups": [ + "networking.k8s.io" + ], + "resources": [ + "ingressclasses" + ] + }, + { + "verbs": [ + "get", + "update" + ], + "apiGroups": [ + "coordination.k8s.io" + ], + "resources": [ + "leases" + ], + "resourceNames": [ + "nginx" + ] + }, + { + "verbs": [ + "create" ], "apiGroups": [ "coordination.k8s.io" @@ -128,14 +309,40 @@ "resources": [ "leases" ] + }, + { + "verbs": [ + "create", + "patch" + ], + "apiGroups": [ + "" + ], + "resources": [ + "events" + ] + }, + { + "verbs": [ + "list", + "watch", + "get" + ], + "apiGroups": [ + "discovery.k8s.io" + ], + "resources": [ + "endpointslices" + ] } ] }, { - "kind": "ClusterRoleBinding", + "kind": "RoleBinding", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "nginx", + "namespace": "test-namespace", "creationTimestamp": null, "labels": { "app.kubernetes.io/component": "ingress-controller", @@ -152,7 +359,7 @@ ], "roleRef": { "apiGroup": "rbac.authorization.k8s.io", - "kind": "ClusterRole", + "kind": "Role", "name": "nginx" } }, @@ -237,7 +444,7 @@ "containers": [ { "name": "controller", - "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.3.0", + "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.1", "args": [ "/nginx-ingress-controller", "--ingress-class=webapprouting.kubernetes.azure.com", diff --git a/pkg/manifests/fixtures/private-dns-zone-enabled.json b/pkg/manifests/fixtures/private-dns-zone-enabled.json index 7e41cd3b..14332234 100644 --- a/pkg/manifests/fixtures/private-dns-zone-enabled.json +++ b/pkg/manifests/fixtures/private-dns-zone-enabled.json @@ -206,7 +206,7 @@ "containers": [ { "name": "controller", - "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.2.1", + "image": "test-registry/oss/kubernetes/ingress/nginx-ingress-controller:v1.8.1", "args": [ "/nginx-ingress-controller", "--ingress-class=webapprouting.kubernetes.azure.com", diff --git a/pkg/manifests/nginx.go b/pkg/manifests/nginx.go index 8347b84a..011c90fe 100644 --- a/pkg/manifests/nginx.go +++ b/pkg/manifests/nginx.go @@ -23,7 +23,7 @@ import ( ) const ( - controllerImageTag = "v1.3.0" + controllerImageTag = "v1.8.1" prom = "prometheus" ) @@ -106,6 +106,8 @@ func NginxIngressControllerResources(conf *config.Config, self *appsv1.Deploymen newNginxIngressControllerServiceAccount(conf, ingressConfig), newNginxIngressControllerClusterRole(conf, ingressConfig), newNginxIngressControllerClusterRoleBinding(conf, ingressConfig), + newNginxIngressControllerRole(conf, ingressConfig), + newNginxIngressControllerRoleBinding(conf, ingressConfig), newNginxIngressControllerService(conf, ingressConfig), newNginxIngressControllerDeployment(conf, ingressConfig), newNginxIngressControllerConfigmap(conf, ingressConfig), @@ -151,40 +153,121 @@ func newNginxIngressControllerClusterRole(conf *config.Config, ingressConfig *Ng Rules: []rbacv1.PolicyRule{ { APIGroups: []string{""}, - Resources: []string{"endpoints", "pods", "services", "secrets", "configmaps"}, - Verbs: []string{"get", "watch", "list"}, + Resources: []string{"configmaps", "endpoints", "nodes", "pods", "secrets", "namespaces"}, + Verbs: []string{"list", "watch"}, + }, + { + APIGroups: []string{"coordination.k8s.io"}, + Resources: []string{"leases"}, + Verbs: []string{"list", "watch"}, }, { APIGroups: []string{""}, - Resources: []string{"configmaps", "events"}, - Verbs: []string{"*"}, + Resources: []string{"nodes"}, + Verbs: []string{"get"}, + }, + { + APIGroups: []string{""}, + Resources: []string{"services"}, + Verbs: []string{"get", "list", "watch"}, }, { APIGroups: []string{"networking.k8s.io"}, Resources: []string{"ingresses"}, Verbs: []string{"get", "watch", "list"}, }, + { + APIGroups: []string{""}, + Resources: []string{"events"}, + Verbs: []string{"create", "patch"}, + }, { APIGroups: []string{"networking.k8s.io"}, Resources: []string{"ingresses/status"}, - Verbs: []string{"*"}, + Verbs: []string{"update"}, }, { APIGroups: []string{"networking.k8s.io"}, Resources: []string{"ingressclasses"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"discovery.k8s.io"}, + Resources: []string{"endpointslices"}, Verbs: []string{"list", "watch", "get"}, }, + }, + } +} + +func newNginxIngressControllerRole(conf *config.Config, ingressConfig *NginxIngressConfig) *rbacv1.Role { + return &rbacv1.Role{ + TypeMeta: metav1.TypeMeta{ + Kind: "Role", + APIVersion: "rbac.authorization.k8s.io/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: ingressConfig.ResourceName, + Labels: addComponentLabel(GetTopLevelLabels(), "ingress-controller"), + Namespace: conf.NS, + }, + Rules: []rbacv1.PolicyRule{ { APIGroups: []string{""}, - Resources: []string{"nodes"}, - Verbs: []string{"watch", "list"}, + Resources: []string{"namespaces"}, + Verbs: []string{"get"}, + }, + // temporary permission used for update from 1.3.0->1.8.1 + { + APIGroups: []string{""}, + Resources: []string{"configmaps"}, + Verbs: []string{"update"}, + }, + { + APIGroups: []string{""}, + Resources: []string{"configmaps", "pods", "secrets", "endpoints"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{""}, + Resources: []string{"services"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"networking.k8s.io"}, + Resources: []string{"ingresses"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"networking.k8s.io"}, + Resources: []string{"ingresses/status"}, + Verbs: []string{"update"}, + }, + { + APIGroups: []string{"networking.k8s.io"}, + Resources: []string{"ingressclasses"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"coordination.k8s.io"}, + Resources: []string{"leases"}, + ResourceNames: []string{ingressConfig.ResourceName}, + Verbs: []string{"get", "update"}, }, { - // required as of v1.3.0 due to controller switch to lease api - // https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.3.0 APIGroups: []string{"coordination.k8s.io"}, Resources: []string{"leases"}, - Verbs: []string{"*"}, + Verbs: []string{"create"}, + }, + { + APIGroups: []string{""}, + Resources: []string{"events"}, + Verbs: []string{"create", "patch"}, + }, + { + APIGroups: []string{"discovery.k8s.io"}, + Resources: []string{"endpointslices"}, + Verbs: []string{"list", "watch", "get"}, }, }, } @@ -213,6 +296,30 @@ func newNginxIngressControllerClusterRoleBinding(conf *config.Config, ingressCon } } +func newNginxIngressControllerRoleBinding(conf *config.Config, ingressConfig *NginxIngressConfig) *rbacv1.RoleBinding { + return &rbacv1.RoleBinding{ + TypeMeta: metav1.TypeMeta{ + Kind: "RoleBinding", + APIVersion: "rbac.authorization.k8s.io/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: ingressConfig.ResourceName, + Namespace: conf.NS, + Labels: addComponentLabel(GetTopLevelLabels(), "ingress-controller"), + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "Role", + Name: ingressConfig.ResourceName, + }, + Subjects: []rbacv1.Subject{{ + Kind: "ServiceAccount", + Name: ingressConfig.ResourceName, + Namespace: conf.NS, + }}, + } +} + func newNginxIngressControllerService(conf *config.Config, ingressConfig *NginxIngressConfig) *corev1.Service { isInternal := false hostname := ""