Skip to content

Commit

Permalink
Enable extension of controller rbac clusterrole api rules
Browse files Browse the repository at this point in the history 
- Add config w/ defaults to chart values.yaml
- Modify templates/rbac.yaml to use configured chart values
- Remove non-core resource perms from team controller kubebuilder annotations
- Rebuild config/rbac/role/yaml to reflect their removal
  • Loading branch information
@mojochao
mojochao committed Mar 6, 2023
1 parent 5d7b55f commit 16bbc09
Show file tree
Hide file tree
Showing 4 changed files with 181 additions and 262 deletions.
212 changes: 7 additions & 205 deletions charts/spaces-operator/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,210 +54,7 @@ metadata:
control-plane: controller-manager
name: spaces-operator-manager-role
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
- customresourcedefinitions/status
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- replicasets
- replicasets/scale
- replicasets/status
- statefulsets
- statefulsets/scale
- statefulsets/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
- horizontalpodautoscalers/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- cronjobs
- cronjobs/status
- jobs
- jobs/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- bindings
- configmaps
- endpoints
- events
- persistentvolumeclaims
- persistentvolumeclaims/status
- pods
- pods/attach
- pods/binding
- pods/eviction
- pods/exec
- pods/log
- pods/portforward
- pods/proxy
- pods/status
- replicasets
- replicationcontrollers
- replicationcontrollers/scale
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
- secrets
- serviceaccounts
- serviceaccounts/token
- services
- services/proxy
- services/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- namespaces
- namespaces/finalize
- namespaces/status
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- nodes
- nodes/proxy
- nodes/status
- persistentvolumes
- persistentvolumes/status
verbs:
- get
- list
- watch
- apiGroups:
- external-secrets.io
resources:
- externalsecrets
- secretstores
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- alertmanagerconfigs
- alertmanagers
- podmonitors
- probes
- servicemonitors
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
- ingresses
- ingresses/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- rolebindings
- roles
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- sloth.slok.dev
resources:
- prometheusservicelevels
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
# The spaces resource permissions are always required
- apiGroups:
- spaces.samba.tv
resources:
Expand All @@ -284,6 +81,12 @@ rules:
- get
- patch
- update
# Add core permissions configured in values
{{- toYaml .Values.clusterrole.rules.core | nindent 2 }}
# Add more permissions configured in values
{{- if .Values.clusterrole.rules.more -}}
{{- toYaml .Values.clusterrole.rules.more | nindent 2 }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
Expand Down Expand Up @@ -314,4 +117,3 @@ roleRef:
subjects:
- kind: ServiceAccount
name: spaces-operator-controller-manager
namespace: {{ .Release.Namespace }}
Loading

0 comments on commit 16bbc09

Please sign in to comment.