From e05bc8d6abc1ebe65928c13729e3f1a0313602fa Mon Sep 17 00:00:00 2001 From: Kobi Kadosh Date: Tue, 6 Jun 2023 14:28:00 +0300 Subject: [PATCH 1/4] CNS-2921: openshift DeploymentConfig watcher permissions --- .../cbcontainers-agent-chart/templates/rbac.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/cbcontainers-agent/cbcontainers-agent-chart/templates/rbac.yaml b/charts/cbcontainers-agent/cbcontainers-agent-chart/templates/rbac.yaml index e4e11c81..c154e73e 100644 --- a/charts/cbcontainers-agent/cbcontainers-agent-chart/templates/rbac.yaml +++ b/charts/cbcontainers-agent/cbcontainers-agent-chart/templates/rbac.yaml @@ -80,6 +80,7 @@ rules: - networking.k8s.io - rbac - rbac.authorization.k8s.io + - apps.openshift.io resources: - clusterrolebindings - cronjobs @@ -96,6 +97,7 @@ rules: - rolebindings - services - statefulsets + - deploymentconfigs verbs: - watch --- From 070985bdc18c2d3c4034e88175429b4f0cd0b4ba Mon Sep 17 00:00:00 2001 From: Kobi Kadosh Date: Thu, 8 Jun 2023 20:13:16 +0300 Subject: [PATCH 2/4] CNS-2966: openshift Route watcher permissions --- .../cbcontainers-agent-chart/templates/rbac.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/cbcontainers-agent/cbcontainers-agent-chart/templates/rbac.yaml b/charts/cbcontainers-agent/cbcontainers-agent-chart/templates/rbac.yaml index c154e73e..1e55200a 100644 --- a/charts/cbcontainers-agent/cbcontainers-agent-chart/templates/rbac.yaml +++ b/charts/cbcontainers-agent/cbcontainers-agent-chart/templates/rbac.yaml @@ -81,6 +81,7 @@ rules: - rbac - rbac.authorization.k8s.io - apps.openshift.io + - route.openshift.io resources: - clusterrolebindings - cronjobs @@ -98,6 +99,7 @@ rules: - services - statefulsets - deploymentconfigs + - routes verbs: - watch --- From 9e4a56b3d6429fdbc0e67c4ff26dac2bac1c1965 Mon Sep 17 00:00:00 2001 From: Kobi Kadosh Date: Mon, 12 Jun 2023 14:43:11 +0300 Subject: [PATCH 3/4] support openshift DeploymentConfig & Route in enforcer webhooks --- cbcontainers/state/components/enforcer_mutating_webhook.go | 2 ++ cbcontainers/state/components/enforcer_validating_webhook.go | 2 ++ 2 files changed, 4 insertions(+) diff --git a/cbcontainers/state/components/enforcer_mutating_webhook.go b/cbcontainers/state/components/enforcer_mutating_webhook.go index 3081b93b..6711eeaa 100644 --- a/cbcontainers/state/components/enforcer_mutating_webhook.go +++ b/cbcontainers/state/components/enforcer_mutating_webhook.go @@ -206,6 +206,8 @@ func (obj *EnforcerMutatingWebhookK8sObject) getResourcesList() []string { "cronjobs", "ingresses", "customresourcedefinitions", + "deploymentconfigs", + "routes", } } diff --git a/cbcontainers/state/components/enforcer_validating_webhook.go b/cbcontainers/state/components/enforcer_validating_webhook.go index be16f306..1e855f1e 100644 --- a/cbcontainers/state/components/enforcer_validating_webhook.go +++ b/cbcontainers/state/components/enforcer_validating_webhook.go @@ -216,6 +216,8 @@ func (obj *EnforcerValidatingWebhookK8sObject) getResourcesList() []string { "cronjobs", "ingresses", "customresourcedefinitions", + "deploymentconfigs", + "routes", } } From f11aa21629e7312057da0660507974acb434b0e4 Mon Sep 17 00:00:00 2001 From: Kobi Kadosh Date: Thu, 15 Jun 2023 11:21:31 +0300 Subject: [PATCH 4/4] rbac changes in kustomize --- config/rbac/dataplane_roles.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/rbac/dataplane_roles.yaml b/config/rbac/dataplane_roles.yaml index 9304b7b3..6aab8a8f 100644 --- a/config/rbac/dataplane_roles.yaml +++ b/config/rbac/dataplane_roles.yaml @@ -94,6 +94,8 @@ rules: - networking.k8s.io - rbac - rbac.authorization.k8s.io + - apps.openshift.io + - route.openshift.io resources: - clusterrolebindings - cronjobs @@ -110,5 +112,7 @@ rules: - rolebindings - services - statefulsets + - deploymentconfigs + - routes verbs: - watch \ No newline at end of file