From 1c2317d8c54b54cd18c0852f12aa69e5f9320e12 Mon Sep 17 00:00:00 2001 From: Dimitri Saridakis Date: Fri, 22 Sep 2023 16:54:50 +0100 Subject: [PATCH 1/4] refactor: addition of rbac needed for instascale controller --- config/rbac/instascale_role.yaml | 102 +++++++++++++++++++++++ config/rbac/instascale_role_binding.yaml | 12 +++ 2 files changed, 114 insertions(+) create mode 100644 config/rbac/instascale_role.yaml create mode 100644 config/rbac/instascale_role_binding.yaml diff --git a/config/rbac/instascale_role.yaml b/config/rbac/instascale_role.yaml new file mode 100644 index 000000000..ff7abc866 --- /dev/null +++ b/config/rbac/instascale_role.yaml @@ -0,0 +1,102 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: instascale-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - patch + - update +- apiGroups: + - "" + resourceNames: + - instascale-ocm-secret + resources: + - secrets + verbs: + - get +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - machineset + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - machineset/status + verbs: + - get +- apiGroups: + - config.openshift.io + resources: + - clusterversions + verbs: + - get + - list + - watch +- apiGroups: + - machine.openshift.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - workload.codeflare.dev + resources: + - appwrappers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - workload.codeflare.dev + resources: + - appwrappers/finalizers + verbs: + - update +- apiGroups: + - workload.codeflare.dev + resources: + - appwrappers/status + verbs: + - get + - patch + - update diff --git a/config/rbac/instascale_role_binding.yaml b/config/rbac/instascale_role_binding.yaml new file mode 100644 index 000000000..00a7d43f7 --- /dev/null +++ b/config/rbac/instascale_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: instascale-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: instascale-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system From b3ae92b10b9dba2fe7ae73e7bd8e204b2d73e917 Mon Sep 17 00:00:00 2001 From: Dimitri Saridakis Date: Mon, 25 Sep 2023 13:48:09 +0100 Subject: [PATCH 2/4] refactor: remove duplicate permissions and remove wildcard for machine.openshift.io --- config/rbac/instascale_role.yaml | 47 +++----------------------------- 1 file changed, 4 insertions(+), 43 deletions(-) diff --git a/config/rbac/instascale_role.yaml b/config/rbac/instascale_role.yaml index ff7abc866..a90631522 100644 --- a/config/rbac/instascale_role.yaml +++ b/config/rbac/instascale_role.yaml @@ -5,12 +5,6 @@ metadata: creationTimestamp: null name: instascale-role rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - apiGroups: - "" resources: @@ -22,20 +16,10 @@ rules: - update - apiGroups: - "" - resourceNames: - - instascale-ocm-secret resources: - secrets verbs: - get -- apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list - - watch - apiGroups: - apps resources: @@ -65,19 +49,10 @@ rules: - apiGroups: - machine.openshift.io resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - workload.codeflare.dev - resources: - - appwrappers + - controlplanemachinesets + - machinehealthchecks + - machines + - machinesets verbs: - create - delete @@ -86,17 +61,3 @@ rules: - patch - update - watch -- apiGroups: - - workload.codeflare.dev - resources: - - appwrappers/finalizers - verbs: - - update -- apiGroups: - - workload.codeflare.dev - resources: - - appwrappers/status - verbs: - - get - - patch - - update From 95b9201e75d8c1467dcf4a4c7506324691a71c27 Mon Sep 17 00:00:00 2001 From: Dimitri Saridakis Date: Mon, 25 Sep 2023 17:14:25 +0100 Subject: [PATCH 3/4] refactor: limit resources for machine.openshift.io api group --- config/rbac/instascale_role.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/rbac/instascale_role.yaml b/config/rbac/instascale_role.yaml index a90631522..8c378ecac 100644 --- a/config/rbac/instascale_role.yaml +++ b/config/rbac/instascale_role.yaml @@ -49,8 +49,6 @@ rules: - apiGroups: - machine.openshift.io resources: - - controlplanemachinesets - - machinehealthchecks - machines - machinesets verbs: From ae38143e5a1e457c4b1d68575a30f18bbf10d4e4 Mon Sep 17 00:00:00 2001 From: Dimitri Saridakis Date: Tue, 26 Sep 2023 13:47:49 +0100 Subject: [PATCH 4/4] refactor: removes unneccessary permissions --- config/rbac/instascale_role.yaml | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/config/rbac/instascale_role.yaml b/config/rbac/instascale_role.yaml index 8c378ecac..dec6b720a 100644 --- a/config/rbac/instascale_role.yaml +++ b/config/rbac/instascale_role.yaml @@ -20,24 +20,6 @@ rules: - secrets verbs: - get -- apiGroups: - - apps - resources: - - machineset - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apps - resources: - - machineset/status - verbs: - - get - apiGroups: - config.openshift.io resources: