Fix RBAC for kustomize

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
alexellis · Aug 18, 2020 · 3482e97 · 3482e97
1 parent 64a4aa7
commit 3482e97
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -25,13 +25,14 @@ Backlog (done):
 - [x] Watch new namespaces and create new secrets
 - [x] Update the ImagePullSecret list for the default ServiceAccount in each namespace
 - [x] Add an exclude annotation for certain namespaces `alexellis.io/registry-creds.ignore`
+- [x] Add Docker image for `x86_64`
+- [x] Test and update kustomize
 
 Todo:
 - [ ] Use `apierrors.IsNotFound(err)` everywhere instead of assuming an error means not found
 - [ ] Support alterations/updates to the primary `ClusterPullSecret`
-- [ ] Add Docker image for `x86_64`
 - [ ] Add multi-arch Docker image for `x86_64` and arm
-- [ ] Add helm chart / kustomize
+- [ ] Add helm chart
 - [ ] Add one-liner with an arkade app - `arkade install registry-creds --username $USERNAME --password $PASSWORD`
 
 ## Installation
@@ -49,6 +50,8 @@ make install
 make run
 ```
 
+> Note, you can also run `make install deploy` to try running in-cluster.
+
 ## Usage
 
 To use this operator create a `ClusterPullSecret` CustomResource and apply it to your cluster.

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -46,6 +46,24 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - ops.alexellis.io
   resources:

diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
@@ -1,11 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: manager-rolebinding
+  name: registry-creds-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: manager-role
+  name: registry-creds-role
 subjects:
 - kind: ServiceAccount
   name: default

diff --git a/controllers/clusterpullsecret_controller.go b/controllers/clusterpullsecret_controller.go
@@ -32,6 +32,9 @@ type ClusterPullSecretReconciler struct {
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=secrets/status,verbs=get;update;patch
 
+// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;update;patch
+// +kubebuilder:rbac:groups=core,resources=serviceaccounts/status,verbs=get;update;patch
+
 func (r *ClusterPullSecretReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	ctx := context.Background()
 	_ = r.Log.WithValues("clusterpullsecret", req.NamespacedName)