Merge pull request #207 from openshift-cherrypick-robot/cherry-pick-2…

…06-to-release-4.12 [release-4.12] OCPBUGS-32429: create suitable role and roleBinding for csi-snapshot-webhook
openshift · Apr 19, 2024 · f573ede · f573ede
2 parents afc1c5d + cf053d7
commit f573ede
Show file tree

Hide file tree

Showing 7 changed files with 37 additions and 1 deletion.
diff --git a/assets/assets.go b/assets/assets.go
@@ -4,7 +4,7 @@ import (
 	"embed"
 )
 
-//go:embed *.yaml
+//go:embed *.yaml rbac/*.yaml
 var f embed.FS
 
 // ReadFile reads and returns the content of the named file.

diff --git a/assets/rbac/webhook_clusterrole.yaml b/assets/rbac/webhook_clusterrole.yaml
@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: csi-snapshot-webhook-clusterrole
+rules:
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshotclasses"]
+  verbs: ["get", "list", "watch"]
diff --git a/assets/rbac/webhook_clusterrolebinding.yaml b/assets/rbac/webhook_clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-snapshot-webhook-clusterrolebinding
+subjects:
+  - kind: ServiceAccount
+    name: csi-snapshot-webhook
+    namespace: ${CONTROLPLANE_NAMESPACE}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: csi-snapshot-webhook-clusterrole
diff --git a/assets/webhook_deployment.yaml b/assets/webhook_deployment.yaml
@@ -20,6 +20,7 @@ spec:
       labels:
         app: csi-snapshot-webhook
     spec:
+      serviceAccount: csi-snapshot-webhook
       containers:
       - name: webhook
         image: ${OPERAND_IMAGE}

diff --git a/assets/webhook_serviceaccount.yaml b/assets/webhook_serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: csi-snapshot-webhook
+  namespace: ${CONTROLPLANE_NAMESPACE}
diff --git a/manifests/05_operator_clusterrole.yaml b/manifests/05_operator_clusterrole.yaml
@@ -59,3 +59,10 @@ rules:
   - validatingwebhookconfigurations
   verbs:
   - "*"
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  verbs:
+  - "*"
diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -131,6 +131,8 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
 		"CSISnapshotGuestStaticResourceController",
 		namespacedAssetFunc,
 		[]string{
+			"rbac/webhook_clusterrole.yaml",
+			"rbac/webhook_clusterrolebinding.yaml",
 			"volumesnapshots.yaml",
 			"volumesnapshotcontents.yaml",
 			"volumesnapshotclasses.yaml",
@@ -145,6 +147,7 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
 		namespacedAssetFunc,
 		[]string{
 			"serviceaccount.yaml",
+			"webhook_serviceaccount.yaml",
 			"webhook_service.yaml",
 		},
 		resourceapply.NewKubeClientHolder(controlPlaneKubeClient),