Add permissions for CPI and CSI controller to create ClusterRole for CAPV to reconcile ProviderServiceAccount #2575

shyaamsn · 2022-06-07T23:27:14Z

Add permissions required by VsphereCPIConfig and VSphereCSIConfig controller to create ClusterRole for CAPV to reconcile ProviderServiceAccount

Signed-off-by: Shyaam Nagarajan nagarajans@vmware.com

What this PR does / why we need it

Addons-Manager creates ClusterRole with some permissions that is used by CAPV to reconcile ProviderServiceAccount.

Which issue(s) this PR fixes

Fixes #2574

Describe testing done for PR

Built addons-manager package and tested on AWS cluster that package reconciles successfully.

kubectl --kubeconfig ~/.kube-tkg/config get pkgi -n  tkg-system | grep tanzu-addons

tanzu-addons-manager                          addons-manager.tanzu.vmware.com          0.23.2                                     Reconcile succeeded                                                    15m

kubectl --kubeconfig ~/.kube-tkg/config get clusterroles tanzu-addons-manager-clusterrole -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kapp.k14s.io/identity: v1;/rbac.authorization.k8s.io/ClusterRole/tanzu-addons-manager-clusterrole;rbac.authorization.k8s.io/v1
    kapp.k14s.io/original: '{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"labels":{"kapp.k14s.io/app":"1654665418647098368","kapp.k14s.io/association":"v1.74c0e3d69a95a4732db83d1b7a13f0a6"},"name":"tanzu-addons-manager-clusterrole"},"rules":[{"apiGroups":["run.tanzu.vmware.com"],"resources":["tanzukubernetesreleases","tanzukubernetesreleases/status","clusterbootstraps","clusterbootstraptemplates","kappcontrollerconfigs"],"verbs":["get","list","watch","create","update","patch","delete"]},{"apiGroups":["cni.tanzu.vmware.com"],"resources":["antreaconfigs","calicoconfigs"],"verbs":["get","list","watch","create","update","patch","delete"]},{"apiGroups":["cpi.tanzu.vmware.com"],"resources":["vspherecpiconfigs"],"verbs":["get","list","watch","create","update","patch","delete"]},{"apiGroups":["cpi.tanzu.vmware.com"],"resources":["vspherecpiconfigs/status"],"verbs":["get","update","patch"]},{"apiGroups":["vmware.infrastructure.cluster.x-k8s.io"],"resources":["providerserviceaccounts"],"verbs":["get","create","list","watch","update","patch"]},{"apiGroups":["csi.tanzu.vmware.com"],"resources":["vspherecsiconfigs"],"verbs":["get","list","watch","create","update","patch","delete"]},{"apiGroups":["csi.tanzu.vmware.com"],"resources":["vspherecsiconfigs/status"],"verbs":["get","update","patch"]},{"apiGroups":["vmware.infrastructure.cluster.x-k8s.io"],"resources":["providerserviceaccounts"],"verbs":["get","create","list","watch","update","patch"]},{"apiGroups":["vmoperator.vmware.com"],"resources":["virtualmachineservices","virtualmachineservices/status"],"verbs":["get","create","update","patch","delete"]},{"apiGroups":["vmoperator.vmware.com"],"resources":["virtualmachines","virtualmachines/status"],"verbs":["get","list","watch","update","patch"]},{"apiGroups":["nsx.vmware.com"],"resources":["ippools","ippools/status"],"verbs":["get","create","update","list","patch","delete","watch"]},{"apiGroups":["nsx.vmware.com"],"resources":["routesets","routesets/status"],"verbs":["get","create","update","list","patch","delete"]},{"apiGroups":["cns.vmware.com"],"resources":["cnsvolumemetadatas","cnsfileaccessconfigs"],"verbs":["get","list","watch","update","create","delete"]},{"apiGroups":["cns.vmware.com"],"resources":["cnscsisvfeaturestates"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["get","list","watch","update","create","delete"]},{"apiGroups":[""],"resources":["persistentvolumeclaims/status"],"verbs":["get","update","patch"]},{"apiGroups":[""],"resources":["events"],"verbs":["list"]},{"apiGroups":["*"],"resources":["*"],"verbs":["get","list","watch","create","update","patch"]},{"apiGroups":["cluster.x-k8s.io"],"resources":["clusters","clusters/status"],"verbs":["get","list","watch"]},{"apiGroups":["controlplane.cluster.x-k8s.io"],"resources":["kubeadmcontrolplanes","kubeadmcontrolplanes/status"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["get","list","watch","create","update","patch","delete"]},{"apiGroups":[""],"resources":["configmaps"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["events"],"verbs":["create","patch"]},{"apiGroups":["kappctrl.k14s.io"],"resources":["apps"],"verbs":["get","list","watch","create","update","patch","delete"]},{"apiGroups":["packaging.carvel.dev"],"resources":["packagerepositories","packagerepositories/status"],"verbs":["get","list","watch","create","update","patch"]},{"apiGroups":["packaging.carvel.dev"],"resources":["packageinstalls","packageinstalls/status"],"verbs":["get","list","watch","create","update","patch","delete"]}]}'
    kapp.k14s.io/original-diff-md5: c6e94dc94aed3401b5d0f26ed6c0bff3
  creationTimestamp: "2022-06-08T05:17:02Z"
  labels:
    kapp.k14s.io/app: "1654665418647098368"
    kapp.k14s.io/association: v1.74c0e3d69a95a4732db83d1b7a13f0a6
  name: tanzu-addons-manager-clusterrole
  resourceVersion: "6710"
  uid: 788ecbee-ad21-48ac-b8c8-9231a3759f87
rules:
- apiGroups:
  - run.tanzu.vmware.com
  resources:
  - tanzukubernetesreleases
  - tanzukubernetesreleases/status
  - clusterbootstraps
  - clusterbootstraptemplates
  - kappcontrollerconfigs
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - cni.tanzu.vmware.com
  resources:
  - antreaconfigs
  - calicoconfigs
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - cpi.tanzu.vmware.com
  resources:
  - vspherecpiconfigs
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - cpi.tanzu.vmware.com
  resources:
  - vspherecpiconfigs/status
  verbs:
  - get
  - update
  - patch
- apiGroups:
  - vmware.infrastructure.cluster.x-k8s.io
  resources:
  - providerserviceaccounts
  verbs:
  - get
  - create
  - list
  - watch
  - update
  - patch
- apiGroups:
  - csi.tanzu.vmware.com
  resources:
  - vspherecsiconfigs
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - csi.tanzu.vmware.com
  resources:
  - vspherecsiconfigs/status
  verbs:
  - get
  - update
  - patch
- apiGroups:
  - vmware.infrastructure.cluster.x-k8s.io
  resources:
  - providerserviceaccounts
  verbs:
  - get
  - create
  - list
  - watch
  - update
  - patch
- apiGroups:
  - vmoperator.vmware.com
  resources:
  - virtualmachineservices
  - virtualmachineservices/status
  verbs:
  - get
  - create
  - update
  - patch
  - delete
- apiGroups:
  - vmoperator.vmware.com
  resources:
  - virtualmachines
  - virtualmachines/status
  verbs:
  - get
  - list
  - watch
  - update
  - patch
- apiGroups:
  - nsx.vmware.com
  resources:
  - ippools
  - ippools/status
  verbs:
  - get
  - create
  - update
  - list
  - patch
  - delete
  - watch
- apiGroups:
  - nsx.vmware.com
  resources:
  - routesets
  - routesets/status
  verbs:
  - get
  - create
  - update
  - list
  - patch
  - delete
- apiGroups:
  - cns.vmware.com
  resources:
  - cnsvolumemetadatas
  - cnsfileaccessconfigs
  verbs:
  - get
  - list
  - watch
  - update
  - create
  - delete
- apiGroups:
  - cns.vmware.com
  resources:
  - cnscsisvfeaturestates
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - watch
  - update
  - create
  - delete
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims/status
  verbs:
  - get
  - update
  - patch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - list
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
- apiGroups:
  - cluster.x-k8s.io
  resources:
  - clusters
  - clusters/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - controlplane.cluster.x-k8s.io
  resources:
  - kubeadmcontrolplanes
  - kubeadmcontrolplanes/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - kappctrl.k14s.io
  resources:
  - apps
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - packaging.carvel.dev
  resources:
  - packagerepositories
  - packagerepositories/status
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
- apiGroups:
  - packaging.carvel.dev
  resources:
  - packageinstalls
  - packageinstalls/status
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete

Release note

package-based-lcm:  Add permissions required by VsphereCPIConfig and VSphereCSIConfig controller to create ClusterRole for CAPV to reconcile ProviderServiceAccount

PR Checklist

Squash the commits into one or a small number of logical commits
Use good commit messages
Ensure PR contains terms all contributors can understand and links all contributors can access

Additional information

The permissions have been fetched from
CPI: https://github.com/vmware-tanzu/tanzu-framework/blob/main/addons/controllers/cpi/vspherecpiconfig_controller.go#L40

CSI: https://github.com/vmware-tanzu/tanzu-framework/blob/main/addons/controllers/csi/vspherecsiconfig_controller.go#L47

Special notes for your reviewer

packages/addons-manager/bundle/config/upstream/addons-manager.yaml

codecov · 2022-06-08T00:33:55Z

Codecov Report

Merging #2575 (a7e18fa) into main (f3fab85) will increase coverage by 0.00%.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #2575   +/-   ##
=======================================
  Coverage   42.39%   42.40%           
=======================================
  Files         399      399           
  Lines       39719    39719           
=======================================
+ Hits        16839    16841    +2     
+ Misses      21293    21292    -1     
+ Partials     1587     1586    -1

Impacted Files	Coverage Δ
pkg/v1/tkg/tkgpackageclient/package_update.go	`85.00% <0.00%> (+1.42%)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f3fab85...a7e18fa. Read the comment docs.

vijaykatam

LGTM. Thanks for the change

…troller to create ClusterRole for CAPV to reconcile ProviderServiceAccount Signed-off-by: Shyaam Nagarajan <nagarajans@vmware.com>

…troller to create ClusterRole for CAPV to reconcile ProviderServiceAccount (vmware-tanzu#2575) Signed-off-by: Shyaam Nagarajan <nagarajans@vmware.com>

shyaamsn requested review from a team as code owners June 7, 2022 23:27

vmwclabot added the cla-not-required label Jun 7, 2022

vijaykatam reviewed Jun 7, 2022

View reviewed changes

packages/addons-manager/bundle/config/upstream/addons-manager.yaml Show resolved Hide resolved

shyaamsn requested a review from vijaykatam June 8, 2022 05:37

shyaamsn force-pushed the add_missing_rbac branch from 304725c to 269008a Compare June 8, 2022 17:11

vijaykatam approved these changes Jun 8, 2022

View reviewed changes

Add permissions required by VsphereCPIConfig and VSphereCSIConfig con…

a7e18fa

…troller to create ClusterRole for CAPV to reconcile ProviderServiceAccount Signed-off-by: Shyaam Nagarajan <nagarajans@vmware.com>

shyaamsn force-pushed the add_missing_rbac branch from 269008a to a7e18fa Compare June 8, 2022 21:21

shyaamsn added the ok-to-merge PRs should be labelled with this before merging label Jun 9, 2022

shyaamsn merged commit 33bb934 into vmware-tanzu:main Jun 9, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add permissions for CPI and CSI controller to create ClusterRole for CAPV to reconcile ProviderServiceAccount #2575

Add permissions for CPI and CSI controller to create ClusterRole for CAPV to reconcile ProviderServiceAccount #2575

shyaamsn commented Jun 7, 2022 •

edited

Loading

codecov bot commented Jun 8, 2022 •

edited

Loading

vijaykatam left a comment

Add permissions for CPI and CSI controller to create ClusterRole for CAPV to reconcile ProviderServiceAccount #2575

Add permissions for CPI and CSI controller to create ClusterRole for CAPV to reconcile ProviderServiceAccount #2575

Conversation

shyaamsn commented Jun 7, 2022 • edited Loading

What this PR does / why we need it

Which issue(s) this PR fixes

Describe testing done for PR

Release note

PR Checklist

Additional information

Special notes for your reviewer

codecov bot commented Jun 8, 2022 • edited Loading

Codecov Report

vijaykatam left a comment

Choose a reason for hiding this comment

shyaamsn commented Jun 7, 2022 •

edited

Loading

codecov bot commented Jun 8, 2022 •

edited

Loading