eraser-dev · ashnamehrotra · Feb 1, 2024 · Feb 1, 2024 · Feb 1, 2024 · Feb 1, 2024
@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: imagejob-pods-cluster-rolebinding
+  name: manager-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: imagejob-pods-cluster-role
+  name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: imagejob-pods
+  name: controller-manager
   namespace: system
@@ -7,9 +7,8 @@ resources:
 - service_account.yaml
 - role.yaml
 - role_binding.yaml
-- imagejob_pods_cluster_role.yaml
 - imagejob_pods_service.yaml
-- imagejob_pods_cluster_role_binding.yaml
+- cluster_role_binding.yaml
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.

@@ -5,18 +5,6 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -26,52 +14,51 @@ rules:
   - list
   - watch
 - apiGroups:
-  - ""
+  - eraser.sh
   resources:
-  - pods
+  - imagejobs
   verbs:
   - create
   - delete
   - get
   - list
-  - update
   - watch
 - apiGroups:
-  - ""
+  - eraser.sh
   resources:
-  - podtemplates
+  - imagejobs/status
   verbs:
-  - create
-  - delete
   - get
-  - list
   - patch
   - update
-  - watch
 - apiGroups:
   - eraser.sh
   resources:
-  - imagejobs
+  - imagelists
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - eraser.sh
   resources:
-  - imagejobs/status
+  - imagelists/status
   verbs:
   - get
   - patch
   - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: manager-role
+  namespace: system
+rules:
 - apiGroups:
-  - eraser.sh
+  - ""
   resources:
-  - imagelists
+  - configmaps
   verbs:
   - create
   - delete
@@ -81,10 +68,25 @@ rules:
   - update
   - watch
 - apiGroups:
-  - eraser.sh
+  - ""
   resources:
-  - imagelists/status
+  - pods
   verbs:
+  - create
+  - delete
   - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - podtemplates
+  verbs:
+  - create
+  - delete
+  - get
+  - list
   - patch
   - update
+  - watch
@@ -1,10 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: manager-rolebinding
+  namespace: system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: manager-role
 subjects:
 - kind: ServiceAccount

@@ -198,7 +198,11 @@ func add(mgr manager.Manager, r *Reconciler) error {
 	return nil
 }
 
-//+kubebuilder:rbac:groups="",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=eraser.sh,resources=imagelists,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",namespace="system",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=eraser.sh,resources=imagelists/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",namespace="system",resources=pods,verbs=get;list;watch;update;create;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

@@ -188,10 +188,10 @@ func checkNodeFitness(pod *corev1.Pod, node *corev1.Node) bool {
 	return true
 }
 
-//+kubebuilder:rbac:groups=eraser.sh,resources=imagejobs,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups="",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=eraser.sh,resources=imagejobs,verbs=get;list;watch;create;delete
+//+kubebuilder:rbac:groups="",namespace="system",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=eraser.sh,resources=imagejobs/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",namespace="system",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

@@ -121,11 +121,11 @@ type Reconciler struct {
 	eraserConfig *config.Manager
 }
 
-//+kubebuilder:rbac:groups=eraser.sh,resources=imagelists,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups="",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=eraser.sh,resources=imagelists,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",namespace="system",resources=podtemplates,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=eraser.sh,resources=imagelists/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
-//+kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;update;create;delete
+//+kubebuilder:rbac:groups="",namespace="system",resources=pods,verbs=get;list;watch;update;create;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

@@ -32,11 +32,14 @@ import (
 	"k8s.io/utils/inotify"
 	"sigs.k8s.io/yaml"
 
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 
 	"github.com/eraser-dev/eraser/api/unversioned"
@@ -50,6 +53,7 @@ import (
 	v1alpha3Config "github.com/eraser-dev/eraser/api/v1alpha3/config"
 	"github.com/eraser-dev/eraser/controllers"
 	"github.com/eraser-dev/eraser/pkg/logger"
+	"github.com/eraser-dev/eraser/pkg/utils"
 	"github.com/eraser-dev/eraser/version"
 	//+kubebuilder:scaffold:imports
 )
@@ -104,6 +108,26 @@ func main() {
 		Port:                   9443,
 		HealthProbeBindAddress: ":8081",
 		LeaderElection:         false,
+		NewCache: cache.BuilderWithOptions(cache.Options{
+			SelectorsByObject: cache.SelectorsByObject{
+				// to watch eraser pods
+				&corev1.Pod{}: {
+					Field: fields.OneTermEqualSelector("metadata.namespace", utils.GetNamespace()),
+				},
+				// to watch eraser podTemplates
+				&corev1.PodTemplate{}: {
+					Field: fields.OneTermEqualSelector("metadata.namespace", utils.GetNamespace()),
+				},
+				// to watch eraser-manager-configs
+				&corev1.ConfigMap{}: {
+					Field: fields.OneTermEqualSelector("metadata.namespace", utils.GetNamespace()),
+				},
+				// to watch ImageJobs
+				&eraserv1.ImageJob{}: {},
+				// to watch ImageLists
+				&eraserv1.ImageList{}: {},
+			},
+		}),
 	}
 
 	if configFile == "" {

@@ -9,18 +9,6 @@ metadata:
     helm.sh/chart: '{{ template "eraser.name" . }}'
   name: eraser-manager-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -29,29 +17,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - podtemplates
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - eraser.sh
   resources:
@@ -61,8 +26,6 @@ rules:
   - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - eraser.sh
@@ -77,12 +40,8 @@ rules:
   resources:
   - imagelists
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - eraser.sh