Merge pull request #704 from jvanz/use-rbac-from-controller-repo

feat: Use rbac from controller repo in the development environment and sync rbac with helm charts
kubewarden · Apr 8, 2024 · fd29429 · fd29429
2 parents 7c588c4 + aa6b27d
commit fd29429
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 48 deletions.
diff --git a/Tiltfile b/Tiltfile
@@ -21,6 +21,23 @@ namespace_create('kubewarden')
 # Install CRDs
 crd = kustomize('config/crd')
 k8s_yaml(crd)
+roles = decode_yaml_stream(kustomize('config/rbac'))
+cluster_rules = []
+namespace_rules = []
+roles_rules_mapping = {
+ "ClusterRole": {},
+ "Role": {},
+}
+
+for role in roles:
+ if role.get('kind') == 'ClusterRole':
+ roles_rules_mapping["ClusterRole"][role.get('metadata').get('name')] = role.get('rules')
+ elif role.get('kind') == 'Role':
+ roles_rules_mapping["Role"][role.get('metadata').get('name')] = role.get('rules')
+
+if len(roles_rules_mapping["ClusterRole"]) == 0 or len(roles_rules_mapping["Role"]) == 0:
+ fail("Failed to load cluster and namespace roles")
+
 
 # Install kubewarden-controller helm chart
 install = helm(
@@ -38,7 +55,16 @@ for o in objects:
  o['spec']['template']['spec']['securityContext']['runAsNonRoot'] = False
  # Disable the leader election to speed up the startup time.
  o['spec']['template']['spec']['containers'][0]['args'].remove('--leader-elect')
- break
+
+ # Update the cluster and namespace roles used by the controller. This ensures
+ # that always we have the latest roles applied to the cluster.
+ if o.get('kind') == 'ClusterRole' and o.get('metadata').get('name') == 'kubewarden-controller-manager-cluster-role':
+ o['rules'] = roles_rules_mapping["ClusterRole"]["manager-role"]
+ if o.get('kind') == 'Role' and o.get('metadata').get('name') == 'kubewarden-controller-manager-namespaced-role':
+ o['rules'] = roles_rules_mapping["Role"]["manager-role"]
+ if o.get('kind') == 'Role' and o.get('metadata').get('name') == 'kubewarden-controller-leader-election-role':
+ o['rules'] = roles_rules_mapping["Role"]["leader-election-role"]
+
 updated_install = encode_yaml_stream(objects)
 k8s_yaml(updated_install)
 

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -73,6 +73,32 @@ rules:
  - get
  - patch
  - update
+- apiGroups:
+ - policies.kubewarden.io
+ resources:
+ - policyservers
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - policies.kubewarden.io
+ resources:
+ - policyservers/finalizers
+ verbs:
+ - update
+- apiGroups:
+ - policies.kubewarden.io
+ resources:
+ - policyservers/status
+ verbs:
+ - get
+ - patch
+ - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -93,15 +119,6 @@ rules:
  - patch
  - update
  - watch
-- apiGroups:
- - apps
- resources:
- - deployments
- - replicasets
- verbs:
- - get
- - list
- - watch
 - apiGroups:
  - apps
  resources:
@@ -132,29 +149,6 @@ rules:
  - get
  - list
  - watch
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - policyservers
- verbs:
- - delete
- - get
- - list
- - watch
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - policyservers/finalizers
- verbs:
- - update
-- apiGroups:
- - policies.kubewarden.io
- resources:
- - policyservers/status
- verbs:
- - get
- - patch
- - update
 - apiGroups:
  - policy
  resources:

diff --git a/controllers/admissionpolicy_controller.go b/controllers/admissionpolicy_controller.go
@@ -46,11 +46,8 @@ import (
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=admissionpolicies/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=admissionpolicies/finalizers,verbs=update
 //
-// We need access to these resources only inside of the namespace where the
-// controller is deployed. Here we assume it's being deployed inside of the
-// `kubewarden` namespace, this has to be parametrized in the helm chart
-//+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch
-//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets;deployments,verbs=get;list;watch
+// Some RBAC rules needed to access some resources used here are defined in the
+// policyserver_controller.go file.
 
 // AdmissionPolicyReconciler reconciles an AdmissionPolicy object
 type AdmissionPolicyReconciler struct {

diff --git a/controllers/clusteradmissionpolicy_controller.go b/controllers/clusteradmissionpolicy_controller.go
@@ -45,12 +45,9 @@ import (
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies,verbs=get;list;watch;delete
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies/finalizers,verbs=update
-//
-// We need access to these resources only inside of the namespace where the
-// controller is deployed. Here we assume it's being deployed inside of the
-// `kubewarden` namespace, this has to be parametrized in the helm chart
-//+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch
-//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets;deployments,verbs=get;list;watch
+
+// Some RBAC rules needed to access some resources used here are defined in the
+// policyserver_controller.go file.
 
 // ClusterAdmissionPolicyReconciler reconciles a ClusterAdmissionPolicy object
 type ClusterAdmissionPolicyReconciler struct {

diff --git a/controllers/policyserver_controller.go b/controllers/policyserver_controller.go
@@ -50,11 +50,11 @@ type PolicyServerReconciler struct {
 // We need access to these resources only inside of the namespace where the
 // controller is deployed. Here we assume it's being deployed inside of the
 // `kubewarden` namespace, this has to be parametrized in the helm chart
-//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers,verbs=get;list;watch;delete
-//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers/status,verbs=get;update;patch
-//+kubebuilder:rbac:namespace=kubewarden,groups=policies.kubewarden.io,resources=policyservers/finalizers,verbs=update
+//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers,verbs=get;list;watch;delete;create;update;patch
+//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=policyservers/finalizers,verbs=update
 //+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=secrets;services;configmaps,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=deployments,verbs=create;update;patch;delete;get;list;watch
 //+kubebuilder:rbac:namespace=kubewarden,groups=apps,resources=replicasets,verbs=get;list;watch
 //+kubebuilder:rbac:namespace=kubewarden,groups=core,resources=pods,verbs=get;list;watch
 //+kubebuilder:rbac:namespace=kubewarden,groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete