Add RBAC role for PlacementDecision resource

This commit fixes https://bugzilla.redhat.com/show_bug.cgi?id=2071494. The PlacmentRule has been changed and now generates a placementDecision in the same namespace. The subscription watches the PlacementDecision changes and deploy the application to the managed clusters accordingly. The PlacementRule controller needs to be granted access to the PlacementDecision resource.
red-hat-storage · Apr 11, 2022 · 8bc39e1 · 8bc39e1
1 parent 21b6f39
commit 8bc39e1
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 0 deletions.
diff --git a/config/hub/rbac/role.yaml b/config/hub/rbac/role.yaml
@@ -40,6 +40,16 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - apps.open-cluster-management.io
+  resources:
+  - placementrules/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - patch
+  - update
 - apiGroups:
   - apps.open-cluster-management.io
   resources:
@@ -48,6 +58,26 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - cluster.open-cluster-management.io
+  resources:
+  - placementdecisions
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - cluster.open-cluster-management.io
+  resources:
+  - placementdecisions/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - cluster.open-cluster-management.io
   resources:

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -32,6 +32,16 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - apps.open-cluster-management.io
+  resources:
+  - placementrules/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - patch
+  - update
 - apiGroups:
   - apps.open-cluster-management.io
   resources:
@@ -48,6 +58,26 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - cluster.open-cluster-management.io
+  resources:
+  - placementdecisions
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - cluster.open-cluster-management.io
+  resources:
+  - placementdecisions/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - ""
   resources:

diff --git a/controllers/drplacementcontrol_controller.go b/controllers/drplacementcontrol_controller.go
@@ -448,10 +448,13 @@ func (r *DRPlacementControlReconciler) SetupWithManager(mgr ctrl.Manager) error
 // +kubebuilder:rbac:groups=ramendr.openshift.io,resources=drpolicies,verbs=get;list;watch
 // +kubebuilder:rbac:groups=apps.open-cluster-management.io,resources=placementrules,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps.open-cluster-management.io,resources=placementrules/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=apps.open-cluster-management.io,resources=placementrules/finalizers,verbs=get;create;update;patch;delete
 // +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=managedclusters,verbs=get;list;watch
 // +kubebuilder:rbac:groups=work.open-cluster-management.io,resources=manifestworks,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=view.open-cluster-management.io,resources=managedclusterviews,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=events,verbs=get;create;patch;update
+// +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=placementdecisions,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=placementdecisions/status,verbs=get;update;patch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.