fix(rbac): adds missing resources

jewertow · Nov 11, 2022 · 07163f3 · 07163f3
1 parent 9ed0c69
commit 07163f3
Showing 1 changed file with 23 additions and 23 deletions.
diff --git a/tests/integration/servicemesh/maistra/testdata/role.yaml b/tests/integration/servicemesh/maistra/testdata/role.yaml
@@ -23,21 +23,18 @@ rules:
     verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
     resources: [ "workloadentries/status" ]
 
-  # discovery and routing
-  - apiGroups: [""]
-    resources: ["pods", "services", "endpoints"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["discovery.k8s.io"]
-    resources: ["endpointslices"]
-    verbs: ["get", "list", "watch"]
+  # auto-detect installed CRD definitions
+  - apiGroups: [ "apiextensions.k8s.io" ]
+    resources: [ "customresourcedefinitions" ]
+    verbs: [ "get", "list", "watch" ]
 
   # ingress controller
-  - apiGroups: ["networking.k8s.io"]
-    resources: ["ingresses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["networking.k8s.io"]
-    resources: ["ingresses/status"]
-    verbs: ["*"]
+  - apiGroups: [ "networking.k8s.io" ]
+    resources: [ "ingresses", "ingressclasses" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "networking.k8s.io" ]
+    resources: [ "ingresses/status" ]
+    verbs: [ "*" ]
 
   # required for CA's namespace controller
   - apiGroups: [""]
@@ -46,25 +43,20 @@ rules:
 
   # Use for Kubernetes Service APIs
   - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
-    resources: ["gateways", "httproutes", "tcproutes", "tlsroutes", "udproutes", "referencepolicies"]
+    resources: ["*"]
     verbs: ["get", "watch", "list"]
   - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
-    resources: ["gateways/status", "httproutes/status", "tcproutes/status", "tlsroutes/status", "udproutes/status", "referencepolicies/status"]
+    resources: ["*"] # TODO: should be on just */status but wildcard is not supported
     verbs: ["update", "patch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gatewayclasses"]
+    verbs: ["create", "update", "patch", "delete"]
 
   # Needed for multicluster secret reading, possibly ingress certs in the future
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get", "watch", "list"]
 
-  # Maistra specific
-  - apiGroups: ["maistra.io"]
-    resources: ["servicemeshmemberrolls"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["route.openshift.io"]
-    resources: ["routes", "routes/custom-host"]
-    verbs: ["get", "list", "watch", "create", "delete", "update"]
-
   # Used for MCS serviceexport management
   - apiGroups: ["multicluster.x-k8s.io"]
     resources: ["serviceexports"]
@@ -74,6 +66,14 @@ rules:
   - apiGroups: ["multicluster.x-k8s.io"]
     resources: ["serviceimports"]
     verbs: ["get", "watch", "list"]
+
+  # Maistra specific
+  - apiGroups: ["maistra.io"]
+    resources: ["servicemeshmemberrolls"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["route.openshift.io"]
+    resources: ["routes", "routes/custom-host"]
+    verbs: ["get", "list", "watch", "create", "delete", "update"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role