Remove route-agent OVN secrets RBAC

This approach did not work properly on older versions of Openshift plus kustomize automatically substitutes the submariner-operator namespace in all resources (the OVN RoleBinding needs to be in the openshift-ovn-kubernetes namespace) so the kustomization layout would need more work. So it was decided to remove the OVN namespace-specific RBAC and add secrets permission to the route-agent ClusterRole but restricted to just the "ovn-cert" resource. Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
submariner-io · May 21, 2024 · 6666129 · 6666129
1 parent 856a4db
commit 6666129
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 56 deletions.
diff --git a/config/rbac/submariner-route-agent/cluster_role.yaml b/config/rbac/submariner-route-agent/cluster_role.yaml
@@ -14,6 +14,15 @@ rules:
     verbs:
       - get
       - list
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      # the route agent needs access to the ovn secret
+      - ovn-cert
+    verbs:
+      - get
   - apiGroups:
       - config.openshift.io
     resources:

diff --git a/config/rbac/submariner-route-agent/ovn_cluster_role.yaml b/config/rbac/submariner-route-agent/ovn_cluster_role.yaml
diff --git a/config/rbac/submariner-route-agent/ovn_role_binding.yaml b/config/rbac/submariner-route-agent/ovn_role_binding.yaml
diff --git a/pkg/embeddedyamls/generators/yamls2go.go b/pkg/embeddedyamls/generators/yamls2go.go
@@ -71,8 +71,6 @@ var files = []string{
 	"config/rbac/submariner-route-agent/cluster_role_binding.yaml",
 	"config/rbac/submariner-route-agent/ocp_cluster_role.yaml",
 	"config/rbac/submariner-route-agent/ocp_cluster_role_binding.yaml",
-	"config/rbac/submariner-route-agent/ovn_cluster_role.yaml",
-	"config/rbac/submariner-route-agent/ovn_role_binding.yaml",
 	"config/rbac/submariner-globalnet/service_account.yaml",
 	"config/rbac/submariner-globalnet/role.yaml",
 	"config/rbac/submariner-globalnet/role_binding.yaml",

diff --git a/pkg/embeddedyamls/yamls.go b/pkg/embeddedyamls/yamls.go
@@ -2924,6 +2924,15 @@ rules:
     verbs:
       - get
       - list
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      # the route agent needs access to the ovn secret
+      - ovn-cert
+    verbs:
+      - get
   - apiGroups:
       - config.openshift.io
     resources:
@@ -2991,34 +3000,6 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: submariner-routeagent
-`
-	Config_rbac_submariner_route_agent_ovn_cluster_role_yaml = `---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: submariner-routeagent-ovn
-rules:
-  - apiGroups:  # the route agent needs access to ovn secrets
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
-      - list
-`
-	Config_rbac_submariner_route_agent_ovn_role_binding_yaml = `---
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: submariner-routeagent-ovn
-  namespace: openshift-ovn-kubernetes
-subjects:
-  - kind: ServiceAccount
-    name: submariner-routeagent
-roleRef:
-  kind: ClusterRole
-  name: submariner-routeagent-ovn
-  apiGroup: rbac.authorization.k8s.io
 `
 	Config_rbac_submariner_globalnet_service_account_yaml = `---
 apiVersion: v1