From 524677a1cfdb668a246c08c7a6ffff5d97b5bd10 Mon Sep 17 00:00:00 2001 From: Jiri Podivin Date: Thu, 4 Jul 2024 16:07:11 +0200 Subject: [PATCH] Adding patch rbac perm for serviceaccounts We also took the opportunity and added patch to all the existing rbac rules that had update already to avoid similar issues in the future Resolves: https://issues.redhat.com/browse/OSPRH-8363 Signed-off-by: Jiri Podivin --- config/rbac/role.yaml | 9 ++++++++ .../client/openstackclient_controller.go | 6 ++--- .../core/openstackcontrolplane_controller.go | 2 +- .../core/openstackversion_controller.go | 10 ++++---- ...openstackdataplanedeployment_controller.go | 5 +--- .../openstackdataplanenodeset_controller.go | 23 +++++++++++-------- 6 files changed, 32 insertions(+), 23 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index a8675d2ae..71a73f024 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -123,6 +123,7 @@ rules: resources: - openstackbaremetalsets/finalizers verbs: + - patch - update - apiGroups: - baremetal.openstack.org @@ -257,6 +258,7 @@ rules: resources: - openstackcontrolplanes/finalizers verbs: + - patch - update - apiGroups: - core.openstack.org @@ -283,6 +285,7 @@ rules: resources: - openstackversions/finalizers verbs: + - patch - update - apiGroups: - core.openstack.org @@ -307,6 +310,7 @@ rules: resources: - openstackdataplanedeployments/finalizers verbs: + - patch - update - apiGroups: - dataplane.openstack.org @@ -333,6 +337,7 @@ rules: resources: - openstackdataplanenodesets/finalizers verbs: + - patch - update - apiGroups: - dataplane.openstack.org @@ -358,6 +363,7 @@ rules: resources: - openstackdataplaneservices/finalizers verbs: + - patch - update - apiGroups: - designate.openstack.org @@ -550,6 +556,7 @@ rules: resources: - dnsdata/finalizers verbs: + - patch - update - apiGroups: - network.openstack.org @@ -592,6 +599,7 @@ rules: resources: - ipsets/finalizers verbs: + - patch - update - apiGroups: - network.openstack.org @@ -728,6 +736,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: diff --git a/controllers/client/openstackclient_controller.go b/controllers/client/openstackclient_controller.go index a7575a0e4..4936f0a7a 100644 --- a/controllers/client/openstackclient_controller.go +++ b/controllers/client/openstackclient_controller.go @@ -78,11 +78,11 @@ func (r *OpenStackClientReconciler) GetLogger(ctx context.Context) logr.Logger { //+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch; // service account, role, rolebinding // +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch // service account permissions that are needed to grant permission to the above // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use -// +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch +// +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch;patch // Reconcile - func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) { diff --git a/controllers/core/openstackcontrolplane_controller.go b/controllers/core/openstackcontrolplane_controller.go index c2f3296e5..08312ee7c 100644 --- a/controllers/core/openstackcontrolplane_controller.go +++ b/controllers/core/openstackcontrolplane_controller.go @@ -80,7 +80,7 @@ func (r *OpenStackControlPlaneReconciler) GetLogger(ctx context.Context) logr.Lo //+kubebuilder:rbac:groups=core.openstack.org,resources=openstackcontrolplanes,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=core.openstack.org,resources=openstackcontrolplanes/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=core.openstack.org,resources=openstackcontrolplanes/finalizers,verbs=update +//+kubebuilder:rbac:groups=core.openstack.org,resources=openstackcontrolplanes/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=core.openstack.org,resources=openstackversions,verbs=get;list;create //+kubebuilder:rbac:groups=ironic.openstack.org,resources=ironics,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=client.openstack.org,resources=openstackclients,verbs=get;list;watch;create;update;patch;delete diff --git a/controllers/core/openstackversion_controller.go b/controllers/core/openstackversion_controller.go index ffc8cab14..203181de4 100644 --- a/controllers/core/openstackversion_controller.go +++ b/controllers/core/openstackversion_controller.go @@ -39,8 +39,10 @@ import ( "github.com/openstack-k8s-operators/openstack-operator/pkg/openstack" ) -var envContainerImages (map[string]*string) -var envAvailableVersion string +var ( + envContainerImages (map[string]*string) + envAvailableVersion string +) // SetupVersionDefaults - func SetupVersionDefaults() { @@ -72,7 +74,7 @@ func (r *OpenStackVersionReconciler) GetLogger(ctx context.Context) logr.Logger // +kubebuilder:rbac:groups=core.openstack.org,resources=openstackversions,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core.openstack.org,resources=openstackversions/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=core.openstack.org,resources=openstackversions/finalizers,verbs=update +// +kubebuilder:rbac:groups=core.openstack.org,resources=openstackversions/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core.openstack.org,resources=openstackcontrolplanes,verbs=get;list;watch // +kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanenodesets,verbs=get;list;watch @@ -82,7 +84,6 @@ func (r *OpenStackVersionReconciler) GetLogger(ctx context.Context) logr.Logger // For more details, check Reconcile and its Result here: // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.14.1/pkg/reconcile func (r *OpenStackVersionReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) { - Log := r.GetLogger(ctx) Log.Info("Reconciling OpenStackVersion") // Fetch the instance @@ -293,7 +294,6 @@ func (r *OpenStackVersionReconciler) Reconcile(ctx context.Context, req ctrl.Req // SetupWithManager sets up the controller with the Manager. func (r *OpenStackVersionReconciler) SetupWithManager(mgr ctrl.Manager) error { - versionFunc := handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, o client.Object) []reconcile.Request { Log := r.GetLogger(ctx) versionList := &corev1beta1.OpenStackVersionList{} diff --git a/controllers/dataplane/openstackdataplanedeployment_controller.go b/controllers/dataplane/openstackdataplanedeployment_controller.go index 57fda3b0c..bf4404bf6 100644 --- a/controllers/dataplane/openstackdataplanedeployment_controller.go +++ b/controllers/dataplane/openstackdataplanedeployment_controller.go @@ -55,7 +55,7 @@ func (r *OpenStackDataPlaneDeploymentReconciler) GetLogger(ctx context.Context) //+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanedeployments,verbs=get;list;watch;create;delete //+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanedeployments/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanedeployments/finalizers,verbs=update +//+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanedeployments/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanenodesets,verbs=get;list;watch //+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplaneservices,verbs=get;list;watch //+kubebuilder:rbac:groups=ansibleee.openstack.org,resources=openstackansibleees,verbs=get;list;watch;create;update;patch;delete @@ -66,7 +66,6 @@ func (r *OpenStackDataPlaneDeploymentReconciler) GetLogger(ctx context.Context) // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. func (r *OpenStackDataPlaneDeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) { - Log := r.GetLogger(ctx) Log.Info("Reconciling Deployment") @@ -260,7 +259,6 @@ func (r *OpenStackDataPlaneDeploymentReconciler) Reconcile(ctx context.Context, err.Error()) return ctrl.Result{}, err } - } version, err := dataplaneutil.GetVersion(ctx, helper, instance.Namespace) @@ -383,7 +381,6 @@ func (r *OpenStackDataPlaneDeploymentReconciler) setHashes( instance *dataplanev1.OpenStackDataPlaneDeployment, nodeSets dataplanev1.OpenStackDataPlaneNodeSetList, ) error { - var err error services := []string{} diff --git a/controllers/dataplane/openstackdataplanenodeset_controller.go b/controllers/dataplane/openstackdataplanenodeset_controller.go index e6ebdb4c9..d9bd48388 100644 --- a/controllers/dataplane/openstackdataplanenodeset_controller.go +++ b/controllers/dataplane/openstackdataplanenodeset_controller.go @@ -77,31 +77,31 @@ func (r *OpenStackDataPlaneNodeSetReconciler) GetLogger(ctx context.Context) log //+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanenodesets,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanenodesets/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanenodesets/finalizers,verbs=update +//+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplanenodesets/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplaneservices,verbs=get;list;watch;create;update;patch -//+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplaneservices/finalizers,verbs=update +//+kubebuilder:rbac:groups=dataplane.openstack.org,resources=openstackdataplaneservices/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=baremetal.openstack.org,resources=openstackbaremetalsets,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=baremetal.openstack.org,resources=openstackbaremetalsets/status,verbs=get -//+kubebuilder:rbac:groups=baremetal.openstack.org,resources=openstackbaremetalsets/finalizers,verbs=update +//+kubebuilder:rbac:groups=baremetal.openstack.org,resources=openstackbaremetalsets/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete; //+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete; //+kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete; //+kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch //+kubebuilder:rbac:groups=network.openstack.org,resources=ipsets,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=network.openstack.org,resources=ipsets/status,verbs=get -//+kubebuilder:rbac:groups=network.openstack.org,resources=ipsets/finalizers,verbs=update +//+kubebuilder:rbac:groups=network.openstack.org,resources=ipsets/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=network.openstack.org,resources=netconfigs,verbs=get;list;watch //+kubebuilder:rbac:groups=network.openstack.org,resources=dnsmasqs,verbs=get;list;watch //+kubebuilder:rbac:groups=network.openstack.org,resources=dnsmasqs/status,verbs=get //+kubebuilder:rbac:groups=network.openstack.org,resources=dnsdata,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=network.openstack.org,resources=dnsdata/status,verbs=get -//+kubebuilder:rbac:groups=network.openstack.org,resources=dnsdata/finalizers,verbs=update +//+kubebuilder:rbac:groups=network.openstack.org,resources=dnsdata/finalizers,verbs=update;patch //+kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete; //+kubebuilder:rbac:groups=core.openstack.org,resources=openstackversions,verbs=get;list;watch // RBAC for the ServiceAccount for the internal image registry -//+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update -//+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update +//+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch +//+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch //+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch //+kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use //+kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch @@ -645,7 +645,8 @@ func (r *OpenStackDataPlaneNodeSetReconciler) SetupWithManager(mgr ctrl.Manager) } func (r *OpenStackDataPlaneNodeSetReconciler) secretWatcherFn( - ctx context.Context, obj client.Object) []reconcile.Request { + ctx context.Context, obj client.Object, +) []reconcile.Request { Log := r.GetLogger(ctx) nodeSets := &dataplanev1.OpenStackDataPlaneNodeSetList{} kind := strings.ToLower(obj.GetObjectKind().GroupVersionKind().Kind) @@ -680,7 +681,8 @@ func (r *OpenStackDataPlaneNodeSetReconciler) secretWatcherFn( } func (r *OpenStackDataPlaneNodeSetReconciler) genericWatcherFn( - ctx context.Context, obj client.Object) []reconcile.Request { + ctx context.Context, obj client.Object, +) []reconcile.Request { Log := r.GetLogger(ctx) nodeSets := &dataplanev1.OpenStackDataPlaneNodeSetList{} @@ -707,7 +709,8 @@ func (r *OpenStackDataPlaneNodeSetReconciler) genericWatcherFn( func (r *OpenStackDataPlaneNodeSetReconciler) deploymentWatcherFn( ctx context.Context, //revive:disable-line - obj client.Object) []reconcile.Request { + obj client.Object, +) []reconcile.Request { namespace := obj.GetNamespace() deployment := obj.(*dataplanev1.OpenStackDataPlaneDeployment)