diff --git a/charts/spaces-operator/templates/rbac.yaml b/charts/spaces-operator/templates/rbac.yaml index beed4fe..a1f5aea 100644 --- a/charts/spaces-operator/templates/rbac.yaml +++ b/charts/spaces-operator/templates/rbac.yaml @@ -54,210 +54,7 @@ metadata: control-plane: controller-manager name: spaces-operator-manager-role rules: -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - - customresourcedefinitions/status - verbs: - - get - - list - - watch -- apiGroups: - - apps - resources: - - controllerrevisions - - daemonsets - - daemonsets/status - - deployments - - deployments/scale - - deployments/status - - replicasets - - replicasets/scale - - replicasets/status - - statefulsets - - statefulsets/scale - - statefulsets/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - - horizontalpodautoscalers/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - batch - resources: - - cronjobs - - cronjobs/status - - jobs - - jobs/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - bindings - - configmaps - - endpoints - - events - - persistentvolumeclaims - - persistentvolumeclaims/status - - pods - - pods/attach - - pods/binding - - pods/eviction - - pods/exec - - pods/log - - pods/portforward - - pods/proxy - - pods/status - - replicasets - - replicationcontrollers - - replicationcontrollers/scale - - replicationcontrollers/status - - resourcequotas - - resourcequotas/status - - secrets - - serviceaccounts - - serviceaccounts/token - - services - - services/proxy - - services/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - namespaces - - namespaces/finalize - - namespaces/status - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - nodes - - nodes/proxy - - nodes/status - - persistentvolumes - - persistentvolumes/status - verbs: - - get - - list - - watch -- apiGroups: - - external-secrets.io - resources: - - externalsecrets - - secretstores - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - monitoring.coreos.com - resources: - - alertmanagerconfigs - - alertmanagers - - podmonitors - - probes - - servicemonitors - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - - ingresses - - ingresses/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - sloth.slok.dev - resources: - - prometheusservicelevels - verbs: - - create - - delete - - get - - list - - patch - - update - - watch +# The spaces resource permissions are always required - apiGroups: - spaces.samba.tv resources: @@ -284,6 +81,12 @@ rules: - get - patch - update + # Add core permissions configured in values + {{- toYaml .Values.clusterrole.rules.core | nindent 2 }} + # Add more permissions configured in values + {{- if .Values.clusterrole.rules.more -}} + {{- toYaml .Values.clusterrole.rules.more | nindent 2 }} + {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -314,4 +117,3 @@ roleRef: subjects: - kind: ServiceAccount name: spaces-operator-controller-manager - namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/spaces-operator/values.yaml b/charts/spaces-operator/values.yaml index 59092d2..35469f1 100644 --- a/charts/spaces-operator/values.yaml +++ b/charts/spaces-operator/values.yaml @@ -83,11 +83,185 @@ affinity: {} # Controller-specific config +# When running more than one replica leaderElect: enabled: false +# When running high-availability podDisruptionBudget: enabled: false +# When scraping prometheus metrics prometheus: enabled: false + +# All permissions for Team roles must be granted to the operator Team controller. +clusterrole: + rules: + # More api groups can be configured, however + more: [] + # The core api groups shouldn't need to be reconfigured + core: + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + - customresourcedefinitions/status + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - controllerrevisions + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - replicasets + - replicasets/scale + - replicasets/status + - statefulsets + - statefulsets/scale + - statefulsets/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - batch + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - bindings + - configmaps + - endpoints + - events + - persistentvolumeclaims + - persistentvolumeclaims/status + - pods + - pods/attach + - pods/binding + - pods/eviction + - pods/exec + - pods/log + - pods/portforward + - pods/proxy + - pods/status + - replicasets + - replicationcontrollers + - replicationcontrollers/scale + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + - secrets + - serviceaccounts + - serviceaccounts/token + - services + - services/proxy + - services/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - namespaces + - namespaces/finalize + - namespaces/status + verbs: + - create + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/status + - persistentvolumes + - persistentvolumes/status + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + - ingresses + - ingresses/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - create + - get + - list + - patch + - update + - watch diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index e4a9665..5de7ccd 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -129,35 +129,6 @@ rules: - get - list - watch -- apiGroups: - - external-secrets.io - resources: - - externalsecrets - - secretstores - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - monitoring.coreos.com - resources: - - alertmanagerconfigs - - alertmanagers - - podmonitors - - probes - - servicemonitors - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - networking.k8s.io resources: @@ -172,18 +143,6 @@ rules: - patch - update - watch -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - rbac.authorization.k8s.io resources: @@ -198,18 +157,6 @@ rules: - patch - update - watch -- apiGroups: - - sloth.slok.dev - resources: - - prometheusservicelevels - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - spaces.samba.tv resources: diff --git a/controllers/v1beta1/team_controller.go b/controllers/v1beta1/team_controller.go index 766d604..3d81553 100644 --- a/controllers/v1beta1/team_controller.go +++ b/controllers/v1beta1/team_controller.go @@ -49,10 +49,6 @@ type TeamReconciler struct { // +kubebuilder:rbac:groups=batch,resources=cronjobs;cronjobs/status;jobs;jobs/status,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=get;list;watch;create;update;patch // +kubebuilder:rbac:groups=networking.k8s.io,resources=ingressclasses;ingresses;ingresses/status,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=external-secrets.io,resources=externalsecrets;secretstores,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=alertmanagers;alertmanagerconfigs;podmonitors;probes;servicemonitors,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=sloth.slok.dev,resources=prometheusservicelevels,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=spaces.samba.tv,resources=teams,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=spaces.samba.tv,resources=teams/status,verbs=get;update;patch // +kubebuilder:rbac:groups=spaces.samba.tv,resources=teams/finalizers,verbs=update