update rbac for capi

Signed-off-by: Zhiwei Yin <[email protected]>
open-cluster-management-io · Jan 7, 2025 · 1e43893 · 1e43893
1 parent 037aa3c
commit 1e43893
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 4 deletions.
diff --git a/deploy/cluster-manager/chart/cluster-manager/templates/cluster_role.yaml b/deploy/cluster-manager/chart/cluster-manager/templates/cluster_role.yaml
@@ -7,6 +7,11 @@ rules:
 - apiGroups: [""]
   resources: ["configmaps", "namespaces", "serviceaccounts", "services"]
   verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"]
+- apiGroups: [""]
+  resources: ["serviceaccounts/token"]
+  resourceNames:
+    - "cluster-bootstrap"
+  verbs: ["get", "create"]
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get"]

diff --git a/deploy/cluster-manager/config/rbac/cluster_role.yaml b/deploy/cluster-manager/config/rbac/cluster_role.yaml
@@ -9,6 +9,11 @@ rules:
 - apiGroups: [""]
   resources: ["configmaps", "namespaces", "serviceaccounts", "services"]
   verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"]
+- apiGroups: [""]
+  resources: ["serviceaccounts/token"]
+  resourceNames:
+    - "cluster-bootstrap"
+  verbs: ["get", "create"]
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get"]

diff --git a/...y/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml b/...y/cluster-manager/olm-catalog/latest/manifests/cluster-manager.clusterserviceversion.yaml
@@ -59,7 +59,7 @@ metadata:
     categories: Integration & Delivery,OpenShift Optional
     certified: "false"
     containerImage: quay.io/open-cluster-management/registration-operator:latest
-    createdAt: "2024-12-24T03:03:39Z"
+    createdAt: "2025-01-06T02:51:43Z"
     description: Manages the installation and upgrade of the ClusterManager.
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -127,6 +127,15 @@ spec:
           - patch
           - delete
           - deletecollection
+        - apiGroups:
+          - ""
+          resourceNames:
+          - cluster-bootstrap
+          resources:
+          - serviceaccounts/token
+          verbs:
+          - get
+          - create
         - apiGroups:
           - ""
           resources:

diff --git a/deploy/cluster-manager/registration-capi-rbac/clusterrole_binding.yaml b/deploy/cluster-manager/registration-capi-rbac/clusterrole_binding.yaml
@@ -0,0 +1,14 @@
+---
+# need to bind capi manager cluster role to registration controller sa if enable capi cluster auto-import.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: open-cluster-management:cluster-manager-registration:capi
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: capi-manager-role
+subjects:
+  - kind: ServiceAccount
+    namespace: open-cluster-management-hub
+    name: registration-controller-sa
diff --git a/deploy/cluster-manager/registration-capi-rbac/kustomization.yaml b/deploy/cluster-manager/registration-capi-rbac/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - clusterrole_binding.yaml
diff --git a/manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml b/manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml
@@ -14,6 +14,11 @@ rules:
 - apiGroups: [""]
   resources: ["namespaces", "serviceaccounts", "configmaps"]
   verbs: ["get", "list", "watch", "create", "delete", "update"]
+- apiGroups: [""]
+  resources: ["serviceaccounts/token"]
+  resourceNames:
+    - "cluster-bootstrap"
+  verbs: ["get", "create"]
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get"]
@@ -104,9 +109,6 @@ rules:
 - apiGroups: ["cluster.x-k8s.io"]
   resources: ["clusters"]
   verbs: ["get", "list", "watch"]
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get"]
 {{end}}
 {{if .ClusterProfileEnabled}}
 # Allow hub to manage clusterprofile