Add RBAC recommendations for controllers (#219)

The parent and child reconciler each make client requests based on the resources being reconciled. We should give guidance to users as to what RBAC permissions are required to effectively use the reconcilers. The RBAC permissions are defined as kubebuilder annotations that can be parsed and converted into a ClusterRole via controller-gen. Signed-off-by: Scott Andrews <andrewssc@vmware.com>
vmware-labs · May 3, 2022 · 3382f72 · 3382f72
1 parent 2ac8d0c
commit 3382f72
Showing 1 changed file with 51 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -67,6 +67,35 @@ func FunctionReconciler(c reconcilers.Config) *reconcilers.ParentReconciler {
 ```
 [full source](https://github.com/projectriff/system/blob/4c3b75327bf99cc37b57ba14df4c65d21dc79d28/pkg/controllers/build/function_reconciler.go#L39-L51)
 
+**Recommended RBAC:**
+
+Replace `<group>` and `<resource>` with values for the parent type.
+
+```go
+// +kubebuilder:rbac:groups=<group>,resources=<resource>,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=<group>,resources=<resource>/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;update;patch;delete
+```
+
+or
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: # any name that is bound to the ServiceAccount used by the client
+rules:
+- apiGroups: ["<group>"]
+  resources: ["<resource>"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["<group>"]
+  resources: ["<resource>/status"]
+  verbs: ["get", "update", "patch"]
+- apiGroups: ["core"]
+  resources: ["events"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+```
+
 ### SubReconciler
 
 The [`SubReconciler`](https://pkg.go.dev/github.com/vmware-labs/reconciler-runtime/reconcilers#SubReconciler) interface defines the contract between the parent and sub reconcilers.
@@ -196,6 +225,28 @@ func FunctionChildImageReconciler(c reconcilers.Config) reconcilers.SubReconcile
 ```
 [full source](https://github.com/projectriff/system/blob/4c3b75327bf99cc37b57ba14df4c65d21dc79d28/pkg/controllers/build/function_reconciler.go#L76-L151)
 
+**Recommended RBAC:**
+
+Replace `<group>` and `<resource>` with values for the child type.
+
+```go
+// +kubebuilder:rbac:groups=<group>,resources=<resource>,verbs=get;list;watch;create;update;patch;delete
+```
+
+or
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: # any name that is bound to the ServiceAccount used by the client
+rules:
+- apiGroups: ["<group>"]
+  resources: ["<resource>"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+```
+
+
 ### Higher-order Reconcilers
 
 Higher order reconcilers are SubReconcilers that do not perform work directly, but instead compose other SubReconcilers in new patterns.