diff --git a/pkg/cliplugins/workload/plugin/sync.go b/pkg/cliplugins/workload/plugin/sync.go index 076f7aa178fa..85031d6bc3f7 100644 --- a/pkg/cliplugins/workload/plugin/sync.go +++ b/pkg/cliplugins/workload/plugin/sync.go @@ -52,6 +52,7 @@ import ( "k8s.io/klog/v2" "k8s.io/kube-openapi/pkg/util/sets" + kube124 "github.com/kcp-dev/kcp/config/rootcompute/kube-1.24" apiresourcev1alpha1 "github.com/kcp-dev/kcp/pkg/apis/apiresource/v1alpha1" apisv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/apis/v1alpha1" workloadv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/workload/v1alpha1" @@ -67,8 +68,9 @@ var embeddedResources embed.FS const ( SyncerSecretConfigKey = "kubeconfig" SyncerIDPrefix = "kcp-syncer-" + UpsyncedSuffix = "-up" DNSIDPrefix = "kcp-dns-" - MaxSyncTargetNameLength = validation.DNS1123SubdomainMaxLength - (9 + len(SyncerIDPrefix)) + MaxSyncTargetNameLength = validation.DNS1123SubdomainMaxLength - (9 + len(SyncerIDPrefix) + len(UpsyncedSuffix)) ) // SyncOptions contains options for configuring a SyncTarget and its corresponding syncer. @@ -606,6 +608,37 @@ func (o *SyncOptions) enableSyncerForWorkspace(ctx context.Context, config *rest return "", "", "", err } + // Grant the service account the Upsynced permissions + upsyncedSyncerID := syncerID + UpsyncedSuffix + upsyncedRoleRef := rbacv1.RoleRef{ + Kind: "ClusterRole", + Name: kube124.UpsyncedClusterRoleName, + APIGroup: "rbac.authorization.k8s.io", + } + _, err = kubeClient.RbacV1().ClusterRoleBindings().Get(ctx, + upsyncedSyncerID, + metav1.GetOptions{}) + if err != nil && !apierrors.IsNotFound(err) { + return "", "", "", err + } + if err == nil { + if err := kubeClient.RbacV1().ClusterRoleBindings().Delete(ctx, upsyncedSyncerID, metav1.DeleteOptions{}); err != nil { + return "", "", "", err + } + } + + fmt.Fprintf(o.ErrOut, "Creating or updating cluster role binding %q to bind service account %q to cluster role %q.\n", upsyncedSyncerID, syncerID, kube124.UpsyncedClusterRoleName) + if _, err = kubeClient.RbacV1().ClusterRoleBindings().Create(ctx, &rbacv1.ClusterRoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: upsyncedSyncerID, + OwnerReferences: syncTargetOwnerReferences, + }, + Subjects: subjects, + RoleRef: upsyncedRoleRef, + }, metav1.CreateOptions{}); err != nil && !apierrors.IsAlreadyExists(err) { + return "", "", "", err + } + // Wait for the service account to be updated with the name of the token secret tokenSecretName := "" err = wait.PollImmediateWithContext(ctx, 100*time.Millisecond, 20*time.Second, func(ctx context.Context) (bool, error) {