fix: NamespacedIngress has no enough permission to list deployments (#…

…288) * fix: grant read deployment permission to fsm-mesh-config-role Signed-off-by: Lin Yang <reaver@flomesh.io> * fix: ClusterRole Signed-off-by: Lin Yang <reaver@flomesh.io> * fix: ClusterRole & ClusterRoleBinding permission Signed-off-by: Lin Yang <reaver@flomesh.io> --------- Signed-off-by: Lin Yang <reaver@flomesh.io>
flomesh-io · Jul 6, 2023 · 9cbbba5 · 9cbbba5
1 parent e494931
commit 9cbbba5
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 11 deletions.
diff --git a/charts/fsm/templates/fsm-role.yaml b/charts/fsm/templates/fsm-role.yaml
@@ -115,7 +115,7 @@ rules:
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
 - apiGroups: ["rbac.authorization.k8s.io"]
- resources: ["roles", "rolebindings"]
+ resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 {{- end }}
 {{- end }}
diff --git a/charts/fsm/templates/mesh-config-role.yaml b/charts/fsm/templates/mesh-config-role.yaml
@@ -10,6 +10,22 @@ rules:
  - ""
  resources:
  - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: fsm-mesh-config-clusterrole
+ labels:
+ {{- include "fsm.labels" . | nindent 4 }}
+rules:
+ - apiGroups:
+ - "apps"
+ resources:
+ - deployments
  verbs:
  - get
  - list

diff --git a/charts/namespaced-ingress/templates/rolebinding.yaml b/charts/namespaced-ingress/templates/rolebinding.yaml
@@ -31,5 +31,20 @@ subjects:
  - kind: ServiceAccount
  name: {{ include "fsm.namespaced-ingress.serviceAccountName" . }}
  namespace: {{ .Values.nsig.metadata.namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ printf "fsm-mesh-config-clusterrolebinding-%s" .Values.nsig.metadata.namespace }}
+ labels:
+ {{- include "fsm.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: fsm-mesh-config-clusterrole
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "fsm.namespaced-ingress.serviceAccountName" . }}
+ namespace: {{ .Values.nsig.metadata.namespace }}
 {{- end }}
 {{- end }}
diff --git a/controllers/namespacedingress/v1alpha1/namespacedingress_controller.go b/controllers/namespacedingress/v1alpha1/namespacedingress_controller.go
@@ -38,9 +38,6 @@ import (
  ghodssyaml "github.com/ghodss/yaml"
  "helm.sh/helm/v3/pkg/chartutil"
  "helm.sh/helm/v3/pkg/strvals"
- appv1 "k8s.io/api/apps/v1"
- corev1 "k8s.io/api/core/v1"
- rbacv1 "k8s.io/api/rbac/v1"
  "k8s.io/apimachinery/pkg/api/errors"
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  "k8s.io/apimachinery/pkg/runtime"
@@ -203,10 +200,10 @@ func (r *NamespacedIngressReconciler) updateConfig(nsig *nsigv1alpha1.Namespaced
 func (r *NamespacedIngressReconciler) SetupWithManager(mgr ctrl.Manager) error {
  return ctrl.NewControllerManagedBy(mgr).
  For(&nsigv1alpha1.NamespacedIngress{}).
- Owns(&corev1.Service{}).
- Owns(&appv1.Deployment{}).
- Owns(&corev1.ServiceAccount{}).
- Owns(&rbacv1.Role{}).
- Owns(&rbacv1.RoleBinding{}).
+ //Owns(&corev1.Service{}).
+ //Owns(&appv1.Deployment{}).
+ //Owns(&corev1.ServiceAccount{}).
+ //Owns(&rbacv1.Role{}).
+ //Owns(&rbacv1.RoleBinding{}).
  Complete(r)
 }
diff --git a/deploy/fsm-dev.yaml b/deploy/fsm-dev.yaml
@@ -74,6 +74,25 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: fsm
+ app.kubernetes.io/version: 0.2.5-alpha.4-dev
+ helm.sh/chart: fsm-0.2.5-alpha.4
+ name: fsm-mesh-config-clusterrole
+rules:
+- apiGroups:
+ - apps
+ resources:
+ - deployments
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
  creationTimestamp: null
  labels:

diff --git a/deploy/fsm.yaml b/deploy/fsm.yaml
@@ -74,6 +74,25 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: fsm
+ app.kubernetes.io/version: 0.2.5-alpha.4
+ helm.sh/chart: fsm-0.2.5-alpha.4
+ name: fsm-mesh-config-clusterrole
+rules:
+- apiGroups:
+ - apps
+ resources:
+ - deployments
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
  creationTimestamp: null
  labels:

diff --git a/pkg/helm/helm.go b/pkg/helm/helm.go
@@ -145,11 +145,11 @@ func isValidOwner(owner, object metav1.Object) bool {
  if ownerNs != "" {
  objNs := object.GetNamespace()
  if objNs == "" {
- klog.Errorf("cluster-scoped resource must not have a namespace-scoped owner, owner's namespace %s", ownerNs)
+ klog.Warningf("cluster-scoped resource must not have a namespace-scoped owner, owner's namespace %s", ownerNs)
  return false
  }
  if ownerNs != objNs {
- klog.Errorf("cross-namespace owner references are disallowed, owner's namespace %s, obj's namespace %s", owner.GetNamespace(), object.GetNamespace())
+ klog.Warningf("cross-namespace owner references are disallowed, owner's namespace %s, obj's namespace %s", owner.GetNamespace(), object.GetNamespace())
  return false
  }
  }