From 25ceed3f20e7a7af697cadfb894b514490a15947 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Thu, 4 Jul 2024 17:54:49 +0200 Subject: [PATCH] Adding patch rbac perm for serviceaccounts We also took the opportunity and added patch to all the existing rbac rules that had update already to avoid similar issues in the future Resolves: https://issues.redhat.com/browse/OSPRH-8363 Signed-off-by: Martin Schuppert --- config/rbac/role.yaml | 10 ++++++++++ controllers/ironic_controller.go | 20 ++++++++++---------- controllers/ironicapi_controller.go | 8 ++++---- controllers/ironicconductor_controller.go | 10 +++++----- controllers/ironicinspector_controller.go | 10 +++++----- controllers/ironicneutronagent_controller.go | 8 ++++---- 6 files changed, 38 insertions(+), 28 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 099d5cec..739d3430 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -25,6 +25,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: @@ -84,6 +85,7 @@ rules: - delete - get - list + - patch - update - watch - apiGroups: @@ -134,6 +136,7 @@ rules: resources: - ironicapis/finalizers verbs: + - patch - update - apiGroups: - ironic.openstack.org @@ -160,6 +163,7 @@ rules: resources: - ironicconductors/finalizers verbs: + - patch - update - apiGroups: - ironic.openstack.org @@ -186,6 +190,7 @@ rules: resources: - ironicinspectors/finalizers verbs: + - patch - update - apiGroups: - ironic.openstack.org @@ -212,6 +217,7 @@ rules: resources: - ironicneutronagents/finalizers verbs: + - patch - update - apiGroups: - ironic.openstack.org @@ -238,6 +244,7 @@ rules: resources: - ironics/finalizers verbs: + - patch - update - apiGroups: - ironic.openstack.org @@ -304,6 +311,7 @@ rules: resources: - mariadbaccounts/finalizers verbs: + - patch - update - apiGroups: - mariadb.openstack.org @@ -344,6 +352,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: @@ -354,6 +363,7 @@ rules: - create - get - list + - patch - update - watch - apiGroups: diff --git a/controllers/ironic_controller.go b/controllers/ironic_controller.go index 9febbac3..2f9db3cd 100644 --- a/controllers/ironic_controller.go +++ b/controllers/ironic_controller.go @@ -69,32 +69,32 @@ func (r *IronicReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironics,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironics/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironics/finalizers,verbs=update +// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironics/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicapis,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicapis/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicapis/finalizers,verbs=update +// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicapis/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicconductors,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicconductors/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicconductors/finalizers,verbs=update +// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicconductors/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicinspectors/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicinspectors/finalizers,verbs=update +// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicinspectors/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicneutronagents,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicneutronagents/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicneutronagents/finalizers,verbs=update +// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicneutronagents/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch -// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;list;watch;create;update;delete; +// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;list;watch;create;update;delete;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbdatabases,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update +// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;watch // +kubebuilder:rbac:groups=rabbitmq.openstack.org,resources=transporturls,verbs=get;list;watch;create;update;patch;delete // service account, role, rolebinding -// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch // service account permissions that are needed to grant permission to the above // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid;privileged,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch diff --git a/controllers/ironicapi_controller.go b/controllers/ironicapi_controller.go index 8a37dac3..6a440111 100644 --- a/controllers/ironicapi_controller.go +++ b/controllers/ironicapi_controller.go @@ -82,7 +82,7 @@ func (r *IronicAPIReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicapis,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicapis/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicapis/finalizers,verbs=update +// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicapis/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch @@ -93,9 +93,9 @@ func (r *IronicAPIReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch // service account, role, rolebinding -// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch // service account permissions that are needed to grant permission to the above // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid;privileged,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch diff --git a/controllers/ironicconductor_controller.go b/controllers/ironicconductor_controller.go index e313d09c..129c54a8 100644 --- a/controllers/ironicconductor_controller.go +++ b/controllers/ironicconductor_controller.go @@ -74,11 +74,11 @@ func (r *IronicConductorReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicconductors,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicconductors/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicconductors/finalizers,verbs=update +// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicconductors/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch -// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;list;watch;create;update;delete; +// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;list;watch;create;update;delete;patch // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list @@ -87,9 +87,9 @@ func (r *IronicConductorReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=get;list;watch;create;update;patch;delete // service account, role, rolebinding -// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch // service account permissions that are needed to grant permission to the above // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid;privileged,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch diff --git a/controllers/ironicinspector_controller.go b/controllers/ironicinspector_controller.go index 4d7a3645..53130d30 100644 --- a/controllers/ironicinspector_controller.go +++ b/controllers/ironicinspector_controller.go @@ -91,11 +91,11 @@ func (r *IronicInspectorReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicinspectors,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicinspectors/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicinspectors/finalizers,verbs=update +// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicinspectors/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;create;update;patch;delete;watch -// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;list;watch;create;update;delete; +// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;list;watch;create;update;delete;patch // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list @@ -106,9 +106,9 @@ func (r *IronicInspectorReconciler) GetLogger(ctx context.Context) logr.Logger { // +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=get;list;watch;create;update;patch;delete // service account, role, rolebinding -// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch // service account permissions that are needed to grant permission to the above // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid;privileged,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch diff --git a/controllers/ironicneutronagent_controller.go b/controllers/ironicneutronagent_controller.go index 59632ed4..e4540cb6 100644 --- a/controllers/ironicneutronagent_controller.go +++ b/controllers/ironicneutronagent_controller.go @@ -73,7 +73,7 @@ func (r *IronicNeutronAgentReconciler) GetLogger(ctx context.Context) logr.Logge // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicneutronagents,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicneutronagents/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicneutronagents/finalizers,verbs=update +// +kubebuilder:rbac:groups=ironic.openstack.org,resources=ironicneutronagents/finalizers,verbs=update;patch // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;create;update;patch;delete;watch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;create;update;patch;delete;watch @@ -83,9 +83,9 @@ func (r *IronicNeutronAgentReconciler) GetLogger(ctx context.Context) logr.Logge // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints,verbs=get;list;watch // service account, role, rolebinding -// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update +// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch // service account permissions that are needed to grant permission to the above // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid;privileged,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch