Add RBAC role for accessing PlacementDecision resource #423
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BenamarMk
changed the title
BenamarMk
force-pushed
the
add_rbac_role_for_placementdecision
branch
from
24b96a9
to
7674dba
Compare
ShyamsundarR
approved these changes
Apr 6, 2022
BenamarMk
force-pushed
the
add_rbac_role_for_placementdecision
branch
from
7674dba
to
c76ab66
Compare
ShyamsundarR
reviewed
Apr 6, 2022
| @@ -448,10 +448,13 @@ func (r *DRPlacementControlReconciler) SetupWithManager(mgr ctrl.Manager) error | |||
| // +kubebuilder:rbac:groups=ramendr.openshift.io,resources=drpolicies,verbs=get;list;watch | |||
| // +kubebuilder:rbac:groups=apps.open-cluster-management.io,resources=placementrules,verbs=get;list;watch;create;update;patch;delete | |||
| // +kubebuilder:rbac:groups=apps.open-cluster-management.io,resources=placementrules/status,verbs=get;update;patch | |||
| // +kubebuilder:rbac:groups=apps.open-cluster-management.io,resources=placementrules/finalizers,verbs="*" | |||
There was a problem hiding this comment.
@BenamarMk "" will fail security audit, it is preferred that required verbs are called out explicitly, such that in the future if a new verb is added the "" does not automatically grant the the rights to operate on it.
BenamarMk
force-pushed
the
add_rbac_role_for_placementdecision
branch
from
c76ab66
to
78178e5
Compare
This commit fixes https://bugzilla.redhat.com/show_bug.cgi?id=2071494. The PlacmentRule has been changed and now generates a placementDecision in the same namespace. The subscription watches the PlacementDecision changes and deploy the application to the managed clusters accordingly. The PlacementRule controller needs to be granted access to the PlacementDecision resource.
BenamarMk
force-pushed
the
add_rbac_role_for_placementdecision
branch
from
78178e5
to
2d45066
Compare
ShyamsundarR
approved these changes
Apr 6, 2022
ShyamsundarR
approved these changes
Apr 8, 2022
BenamarMk
force-pushed
the
add_rbac_role_for_placementdecision
branch
from
0760d53
to
49fd397
Compare
BenamarMk
force-pushed
the
add_rbac_role_for_placementdecision
branch
from
49fd397
to
0277769
Compare
ShyamsundarR
approved these changes
Apr 11, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit fixes https://bugzilla.redhat.com/show_bug.cgi?id=2071494.
The PlacmentRule has been changed and now generates a placementDecision in the same namespace.
The subscription watches the PlacementDecision changes and deploy the application to the
managed clusters accordingly. The PlacementRule controller needs to be granted access to the
PlacementDecision resource.