preflight: added many missing missing permissions

maelvls · maelvls · commit 63f7ff45405b · 2021-03-11T16:03:13.000+01:00
The preflight agent was unable to list and get the following objects:

  services
  replicasets
  statefulsets
  jobs
  pods
  daemonsets
  ingresses
  deployments
  cronjobs

Signed-off-by: Maël Valais &lt;mael@vls.dev&gt;
diff --git a/schema.yaml b/schema.yaml
@@ -8,7 +8,7 @@ x-google-marketplace:
   schemaVersion: v2
 
   # MUST match the version of the Application custom resource object.
-  # This is the same as the top level applicationApiVersion field in v1.
+  # This is the same as the top level applicationApiVersion field in v1.beta1
   applicationApiVersion: v1beta1
 
   # We are not "truely" following semver.org since we use a "-" for a final
@@ -346,45 +346,37 @@ properties:
     x-google-marketplace:
       type: SERVICE_ACCOUNT
       serviceAccount:
-        description: Service account used by preflight
+        description: Service account used by the Jetstack Secure Platform agent
         roles:
           - type: ClusterRole
             rulesType: CUSTOM
             rules:
-              - apiGroups: [""]
-                resources: ["nodes"]
+              # The jetstack secure agent gathers services for pod readiness
+              # probe rules.
+              - resources: ["services", "pods"]
                 verbs: ["get", "list"]
-          - type: ClusterRole
-            rulesType: CUSTOM
-            rules:
-              - apiGroups: [""]
-                resources: ["secrets"]
+              # The jetstack secure agent gathers higher level resources to
+              # ensure data to determine ownership is present.
+              - resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
+                apiGroups: ["apps"]
+                verbs: ["get", "list"]
+              - resources: ["jobs", "cronjobs"]
+                apiGroups: ["batch"]
+                verbs: ["get", "list"]
+              # The jetstack secure agent gathers resources for cert-manager package.
+              - resources: ["secrets"]
+                verbs: ["get", "list"]
+              - apiGroups: ["networking.k8s.iobeta1"]
+                resources: ["ingresses"]
                 verbs: ["get", "list"]
-          - type: ClusterRole
-            rulesType: CUSTOM
-            rules:
               - apiGroups: ["cert-manager.io"]
-                resources:
-                  - certificates
-                  - certificaterequests
-                  - issuers
-                  - clusterissuers
+                resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
                 verbs: ["get", "list"]
-          - type: ClusterRole
-            rulesType: CUSTOM
-            rules:
-              - apiGroups: ["cas-issuer.jetstack.io"]
-                resources:
-                  - googlecasissuers
-                  - googlecasclusterissuers
+              - apiGroups: ["cas-issuer.jetstack.ioalpha1"]
+                resources: ["googlecasissuers", "googlecasclusterissuers"]
                 verbs: ["get", "list"]
-          - type: ClusterRole
-            rulesType: CUSTOM
-            rules:
               - apiGroups: ["admissionregistration.k8s.io"]
-                resources:
-                  - validatingwebhookconfigurations
-                  - mutatingwebhookconfigurations
+                resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
                 verbs: ["get", "list"]
 
   # https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/64181be/docs/billing-integration.md
