From a0e7ef85389ce7957bae2fa7083eedde55603aec Mon Sep 17 00:00:00 2001
From: Jeffrey Limnardy <jeffrey.limnardy@sap.com>
Date: Tue, 12 Nov 2024 14:47:28 +0100
Subject: [PATCH 1/4] separate agent rbacs

---
 internal/resources/otelcollector/rbac.go | 43 +++++++++++++++---------
 1 file changed, 27 insertions(+), 16 deletions(-)

diff --git a/internal/resources/otelcollector/rbac.go b/internal/resources/otelcollector/rbac.go
index 273e60450..7307f4a87 100644
--- a/internal/resources/otelcollector/rbac.go
+++ b/internal/resources/otelcollector/rbac.go
@@ -65,22 +65,22 @@ func makeTraceGatewayClusterRole(name types.NamespacedName) *rbacv1.ClusterRole
 }
 
 func makeMetricAgentClusterRole(name types.NamespacedName) *rbacv1.ClusterRole {
-	clusterRole := &rbacv1.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      name.Name,
-			Namespace: name.Namespace,
-			Labels:    labels.MakeDefaultLabel(name.Name),
+
+	kubeletStatsRules := []rbacv1.PolicyRule{{
+		APIGroups: []string{""},
+		Resources: []string{"nodes", "nodes/stats", "nodes/proxy"},
+		Verbs:     []string{"get", "list", "watch"},
+	}}
+
+	prometheusRules := []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{""},
+			Resources: []string{"nodes", "nodes/metrics", "services", "endpoints", "pods"},
+			Verbs:     []string{"get", "list", "watch"},
 		},
-		Rules: []rbacv1.PolicyRule{
-			{
-				APIGroups: []string{""},
-				Resources: []string{"nodes", "nodes/metrics", "nodes/stats", "nodes/proxy", "services", "endpoints", "pods"},
-				Verbs:     []string{"get", "list", "watch"},
-			},
-			{
-				NonResourceURLs: []string{"/metrics", "/metrics/cadvisor"},
-				Verbs:           []string{"get"},
-			},
+		{
+			NonResourceURLs: []string{"/metrics", "/metrics/cadvisor"},
+			Verbs:           []string{"get"},
 		},
 	}
 
@@ -106,7 +106,18 @@ func makeMetricAgentClusterRole(name types.NamespacedName) *rbacv1.ClusterRole {
 		Verbs:     []string{"get", "list", "watch"},
 	}}
 
-	clusterRole.Rules = append(clusterRole.Rules, k8sClusterRules...)
+	clusterRoleRules := append([]rbacv1.PolicyRule{}, kubeletStatsRules...)
+	clusterRoleRules = append(clusterRoleRules, prometheusRules...)
+	clusterRoleRules = append(clusterRoleRules, k8sClusterRules...)
+
+	clusterRole := &rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name.Name,
+			Namespace: name.Namespace,
+			Labels:    labels.MakeDefaultLabel(name.Name),
+		},
+		Rules: clusterRoleRules,
+	}
 
 	return clusterRole
 }

From 4464b2149f76ba793ce9ce8306b6d61c35c653e8 Mon Sep 17 00:00:00 2001
From: Jeffrey Limnardy <jeffrey.limnardy@sap.com>
Date: Tue, 12 Nov 2024 15:31:45 +0100
Subject: [PATCH 2/4] separate gateway rbacs

---
 internal/resources/otelcollector/rbac.go | 68 ++++++++++++------------
 1 file changed, 35 insertions(+), 33 deletions(-)

diff --git a/internal/resources/otelcollector/rbac.go b/internal/resources/otelcollector/rbac.go
index 7307f4a87..a49329b68 100644
--- a/internal/resources/otelcollector/rbac.go
+++ b/internal/resources/otelcollector/rbac.go
@@ -43,24 +43,26 @@ func MakeMetricGatewayRBAC(name types.NamespacedName) Rbac {
 }
 
 func makeTraceGatewayClusterRole(name types.NamespacedName) *rbacv1.ClusterRole {
+	k8sAttributeRules := []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{""},
+			Resources: []string{"namespaces", "pods"},
+			Verbs:     []string{"get", "list", "watch"},
+		},
+		{
+			APIGroups: []string{"apps"},
+			Resources: []string{"replicasets"},
+			Verbs:     []string{"get", "list", "watch"},
+		},
+	}
+	clusterRoleRules := append([]rbacv1.PolicyRule{}, k8sAttributeRules...)
 	return &rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name.Name,
 			Namespace: name.Namespace,
 			Labels:    labels.MakeDefaultLabel(name.Name),
 		},
-		Rules: []rbacv1.PolicyRule{
-			{
-				APIGroups: []string{""},
-				Resources: []string{"namespaces", "pods"},
-				Verbs:     []string{"get", "list", "watch"},
-			},
-			{
-				APIGroups: []string{"apps"},
-				Resources: []string{"replicasets"},
-				Verbs:     []string{"get", "list", "watch"},
-			},
-		},
+		Rules: clusterRoleRules,
 	}
 }
 
@@ -110,7 +112,7 @@ func makeMetricAgentClusterRole(name types.NamespacedName) *rbacv1.ClusterRole {
 	clusterRoleRules = append(clusterRoleRules, prometheusRules...)
 	clusterRoleRules = append(clusterRoleRules, k8sClusterRules...)
 
-	clusterRole := &rbacv1.ClusterRole{
+	return &rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name.Name,
 			Namespace: name.Namespace,
@@ -118,28 +120,20 @@ func makeMetricAgentClusterRole(name types.NamespacedName) *rbacv1.ClusterRole {
 		},
 		Rules: clusterRoleRules,
 	}
-
-	return clusterRole
 }
 
 func makeMetricGatewayClusterRole(name types.NamespacedName) *rbacv1.ClusterRole {
-	clusterRole := rbacv1.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      name.Name,
-			Namespace: name.Namespace,
-			Labels:    labels.MakeDefaultLabel(name.Name),
+
+	k8sAttributeRules := []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{""},
+			Resources: []string{"namespaces", "pods"},
+			Verbs:     []string{"get", "list", "watch"},
 		},
-		Rules: []rbacv1.PolicyRule{
-			{
-				APIGroups: []string{""},
-				Resources: []string{"namespaces", "pods"},
-				Verbs:     []string{"get", "list", "watch"},
-			},
-			{
-				APIGroups: []string{"apps"},
-				Resources: []string{"replicasets"},
-				Verbs:     []string{"get", "list", "watch"},
-			},
+		{
+			APIGroups: []string{"apps"},
+			Resources: []string{"replicasets"},
+			Verbs:     []string{"get", "list", "watch"},
 		},
 	}
 
@@ -161,9 +155,17 @@ func makeMetricGatewayClusterRole(name types.NamespacedName) *rbacv1.ClusterRole
 		Verbs:     []string{"get", "list", "watch"},
 	}}
 
-	clusterRole.Rules = append(clusterRole.Rules, kymaStatsRules...)
+	clusterRoleRules := append([]rbacv1.PolicyRule{}, kymaStatsRules...)
+	clusterRoleRules = append(clusterRoleRules, k8sAttributeRules...)
 
-	return &clusterRole
+	return &rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name.Name,
+			Namespace: name.Namespace,
+			Labels:    labels.MakeDefaultLabel(name.Name),
+		},
+		Rules: clusterRoleRules,
+	}
 }
 
 func makeClusterRoleBinding(name types.NamespacedName) *rbacv1.ClusterRoleBinding {

From 3e6fee84d124ea73054ce7f718711e46f2981d5c Mon Sep 17 00:00:00 2001
From: Jeffrey Limnardy <jeffrey.limnardy@sap.com>
Date: Tue, 12 Nov 2024 15:51:48 +0100
Subject: [PATCH 3/4] adjust UT

---
 internal/resources/otelcollector/rbac.go      | 4 ++--
 internal/resources/otelcollector/rbac_test.go | 7 ++++++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/internal/resources/otelcollector/rbac.go b/internal/resources/otelcollector/rbac.go
index a49329b68..7b106ee8b 100644
--- a/internal/resources/otelcollector/rbac.go
+++ b/internal/resources/otelcollector/rbac.go
@@ -155,8 +155,8 @@ func makeMetricGatewayClusterRole(name types.NamespacedName) *rbacv1.ClusterRole
 		Verbs:     []string{"get", "list", "watch"},
 	}}
 
-	clusterRoleRules := append([]rbacv1.PolicyRule{}, kymaStatsRules...)
-	clusterRoleRules = append(clusterRoleRules, k8sAttributeRules...)
+	clusterRoleRules := append([]rbacv1.PolicyRule{}, k8sAttributeRules...)
+	clusterRoleRules = append(clusterRoleRules, kymaStatsRules...)
 
 	return &rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
diff --git a/internal/resources/otelcollector/rbac_test.go b/internal/resources/otelcollector/rbac_test.go
index 1c1e0fd8a..0c00b999a 100644
--- a/internal/resources/otelcollector/rbac_test.go
+++ b/internal/resources/otelcollector/rbac_test.go
@@ -65,7 +65,12 @@ func TestMakeMetricAgentRBAC(t *testing.T) {
 		expectedRules := []rbacv1.PolicyRule{
 			{
 				APIGroups: []string{""},
-				Resources: []string{"nodes", "nodes/metrics", "nodes/stats", "nodes/proxy", "services", "endpoints", "pods"},
+				Resources: []string{"nodes", "nodes/stats", "nodes/proxy"},
+				Verbs:     []string{"get", "list", "watch"},
+			},
+			{
+				APIGroups: []string{""},
+				Resources: []string{"nodes", "nodes/metrics", "services", "endpoints", "pods"},
 				Verbs:     []string{"get", "list", "watch"},
 			},
 			{

From edd45c0bf86ea4e362ba718cd8b7065742ef3ecc Mon Sep 17 00:00:00 2001
From: Jeffrey Limnardy <jeffrey.limnardy@sap.com>
Date: Tue, 12 Nov 2024 15:54:27 +0100
Subject: [PATCH 4/4] fix lint

---
 internal/resources/otelcollector/rbac.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/internal/resources/otelcollector/rbac.go b/internal/resources/otelcollector/rbac.go
index 7b106ee8b..90a20efc4 100644
--- a/internal/resources/otelcollector/rbac.go
+++ b/internal/resources/otelcollector/rbac.go
@@ -56,6 +56,7 @@ func makeTraceGatewayClusterRole(name types.NamespacedName) *rbacv1.ClusterRole
 		},
 	}
 	clusterRoleRules := append([]rbacv1.PolicyRule{}, k8sAttributeRules...)
+
 	return &rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name.Name,
@@ -67,7 +68,6 @@ func makeTraceGatewayClusterRole(name types.NamespacedName) *rbacv1.ClusterRole
 }
 
 func makeMetricAgentClusterRole(name types.NamespacedName) *rbacv1.ClusterRole {
-
 	kubeletStatsRules := []rbacv1.PolicyRule{{
 		APIGroups: []string{""},
 		Resources: []string{"nodes", "nodes/stats", "nodes/proxy"},
@@ -123,7 +123,6 @@ func makeMetricAgentClusterRole(name types.NamespacedName) *rbacv1.ClusterRole {
 }
 
 func makeMetricGatewayClusterRole(name types.NamespacedName) *rbacv1.ClusterRole {
-
 	k8sAttributeRules := []rbacv1.PolicyRule{
 		{
 			APIGroups: []string{""},