Restrict caches for Roles and Rolebindings by name

Signed-off-by: Angel Misevski <amisevsk@redhat.com>
devfile · Oct 20, 2021 · 9a9ef1d · 9a9ef1d
1 parent f7e3256
commit 9a9ef1d
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 4 deletions.
diff --git a/pkg/cache/cache.go b/pkg/cache/cache.go
@@ -16,13 +16,16 @@ package cache
 import (
 	"fmt"
 
+	"github.com/devfile/devworkspace-operator/pkg/common"
 	"github.com/devfile/devworkspace-operator/pkg/constants"
 	"github.com/devfile/devworkspace-operator/pkg/infrastructure"
 	routev1 "github.com/openshift/api/route/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 )
@@ -71,6 +74,12 @@ func GetCacheFunc() (cache.NewCacheFunc, error) {
 		&corev1.Secret{}: {
 			Label: secretObjectSelector,
 		},
+		&rbacv1.Role{}: {
+			Field: fields.SelectorFromSet(fields.Set{"metadata.name": common.WorkspaceRoleName()}),
+		},
+		&rbacv1.RoleBinding{}: {
+			Field: fields.SelectorFromSet(fields.Set{"metadata.name": common.WorkspaceRolebindingName()}),
+		},
 	}
 
 	if infrastructure.IsOpenShift() {

diff --git a/pkg/common/naming.go b/pkg/common/naming.go
@@ -19,6 +19,8 @@ import (
 	"fmt"
 	"regexp"
 	"strings"
+
+	"github.com/devfile/devworkspace-operator/pkg/constants"
 )
 
 var NonAlphaNumRegexp = regexp.MustCompile(`[^a-z0-9]+`)
@@ -95,3 +97,11 @@ func AutoMountSecretVolumeName(volumeName string) string {
 func AutoMountPVCVolumeName(pvcName string) string {
 	return fmt.Sprintf("automount-pvc-%s", pvcName)
 }
+
+func WorkspaceRoleName() string {
+	return "workspace"
+}
+
+func WorkspaceRolebindingName() string {
+	return constants.ServiceAccount + "dw"
+}
diff --git a/pkg/provision/workspace/rbac.go b/pkg/provision/workspace/rbac.go
@@ -17,10 +17,9 @@ package workspace
 
 import (
 	dw "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
+	"github.com/devfile/devworkspace-operator/pkg/common"
 	"github.com/devfile/devworkspace-operator/pkg/provision/sync"
 
-	"github.com/devfile/devworkspace-operator/pkg/constants"
-
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -52,7 +51,7 @@ func generateRBAC(namespace string) []client.Object {
 	return []client.Object{
 		&rbacv1.Role{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      "workspace",
+				Name:      common.WorkspaceRoleName(),
 				Namespace: namespace,
 			},
 			Rules: []rbacv1.PolicyRule{
@@ -96,7 +95,7 @@ func generateRBAC(namespace string) []client.Object {
 		},
 		&rbacv1.RoleBinding{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      constants.ServiceAccount + "-dw",
+				Name:      common.WorkspaceRolebindingName(),
 				Namespace: namespace,
 			},
 			RoleRef: rbacv1.RoleRef{