enhancement(rbac): add rbac for k8s event resource (#64)

KusionStack · Aug 28, 2023 · 74d27c7 · 74d27c7
1 parent 43d35c0
commit 74d27c7
Show file tree

Hide file tree

Showing 9 changed files with 32 additions and 17 deletions.
diff --git a/apis/apps/v1alpha1/collaset_types.go b/apis/apps/v1alpha1/collaset_types.go
@@ -240,8 +240,8 @@ type CollaSetCondition struct {
 	Message string `json:"message,omitempty"`
 }
 
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
 
 // CollaSet is the Schema for the collasets API
 // +k8s:openapi-gen=true

diff --git a/apis/apps/v1alpha1/resourcecontext_types.go b/apis/apps/v1alpha1/resourcecontext_types.go
@@ -43,7 +43,7 @@ type ResourceContext struct {
 	Spec ResourceContextSpec `json:"spec,omitempty"`
 }
 
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 
 // ResourceContextList contains a list of ResourceContext
 type ResourceContextList struct {

diff --git a/apis/apps/v1alpha1/ruleset_types.go b/apis/apps/v1alpha1/ruleset_types.go
@@ -266,7 +266,7 @@ type RuleSet struct {
 	Status RuleSetStatus `json:"status,omitempty"`
 }
 
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 
 // RuleSetList contains a list of RuleSet
 type RuleSetList struct {

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -95,6 +95,14 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
 - apiGroups:
   - ""
   resources:

diff --git a/pkg/controllers/collaset/collaset_controller.go b/pkg/controllers/collaset/collaset_controller.go
@@ -104,13 +104,15 @@ func AddToMgr(mgr ctrl.Manager, r reconcile.Reconciler) error {
 	return nil
 }
 
-//+kubebuilder:rbac:groups=apps.kusionstack.io,resources=collasets,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=apps.kusionstack.io,resources=collasets/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=apps.kusionstack.io,resources=collasets/finalizers,verbs=update
-//+kubebuilder:rbac:groups=apps.kusionstack.io,resources=resourcecontexts,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=apps.kusionstack.io,resources=resourcecontexts/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=apps.kusionstack.io,resources=resourcecontexts/finalizers,verbs=update
-//+kubebuilder:rbac:groups=apps,resources=controllerrevisions,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps.kusionstack.io,resources=collasets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps.kusionstack.io,resources=collasets/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=apps.kusionstack.io,resources=collasets/finalizers,verbs=update
+// +kubebuilder:rbac:groups=apps.kusionstack.io,resources=resourcecontexts,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps.kusionstack.io,resources=resourcecontexts/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=apps.kusionstack.io,resources=resourcecontexts/finalizers,verbs=update
+// +kubebuilder:rbac:groups=apps,resources=controllerrevisions,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=events,verbs=create;update;patch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

diff --git a/pkg/controllers/poddeletion/poddeletion_controller.go b/pkg/controllers/poddeletion/poddeletion_controller.go
@@ -82,6 +82,7 @@ func AddToMgr(mgr ctrl.Manager, r reconcile.Reconciler) error {
 
 // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=pods/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=core,resources=events,verbs=create;update;patch
 
 // Reconcile aims to delete Pod through PodOpsLifecycle. It will watch Pod with label `kafed.kusionstack.io/to-delete`.
 // If a Pod is labeled, controller will first trigger a deletion PodOpsLifecycle. If all conditions are satisfied,

diff --git a/pkg/controllers/podopslifecycle/podopslifecycle_controller.go b/pkg/controllers/podopslifecycle/podopslifecycle_controller.go
@@ -102,6 +102,8 @@ type ReconcilePodOpsLifecycle struct {
 
 // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=pods/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=core,resources=events,verbs=create;update;patch
+
 func (r *ReconcilePodOpsLifecycle) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
 	key := fmt.Sprintf("%s/%s", request.Namespace, request.Name)
 	klog.Infof("Reconcile Pod %s", key)

diff --git a/pkg/controllers/resourcecontext/resourcecontext_controller.go b/pkg/controllers/resourcecontext/resourcecontext_controller.go
@@ -84,9 +84,9 @@ func AddToMgr(mgr ctrl.Manager, r reconcile.Reconciler) error {
 	return nil
 }
 
-//+kubebuilder:rbac:groups=apps.kusionstack.io,resources=resourcecontexts,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=apps.kusionstack.io,resources=resourcecontexts/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=apps.kusionstack.io,resources=resourcecontexts/finalizers,verbs=update
+// +kubebuilder:rbac:groups=apps.kusionstack.io,resources=resourcecontexts,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps.kusionstack.io,resources=resourcecontexts/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=apps.kusionstack.io,resources=resourcecontexts/finalizers,verbs=update
 
 // Reconcile aims to reclaim ResourceContext which is not in used which means the ResourceContext contains no Context.
 func (r *ResourceContextReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {

diff --git a/pkg/controllers/ruleset/ruleset_controller.go b/pkg/controllers/ruleset/ruleset_controller.go
@@ -108,9 +108,11 @@ type RuleSetReconciler struct {
 	logr.Logger
 }
 
-//+kubebuilder:rbac:groups=apps.kusionstack.io,resources=rulesets,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=apps.kusionstack.io,resources=rulesets/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=apps.kusionstack.io,resources=rulesets/finalizers,verbs=update
+// +kubebuilder:rbac:groups=apps.kusionstack.io,resources=rulesets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps.kusionstack.io,resources=rulesets/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=apps.kusionstack.io,resources=rulesets/finalizers,verbs=update
+// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;update;patch
+// +kubebuilder:rbac:groups=core,resources=events,verbs=create;update;patch
 
 func (r *RuleSetReconciler) Reconcile(ctx context.Context, request reconcile.Request) (result reconcile.Result, reconcileErr error) {