From 7a60ffff2b0b5e3b2ef4367d33deb6a9462d8fb8 Mon Sep 17 00:00:00 2001 From: Dipankar Das <65275144+dipankardas011@users.noreply.github.com> Date: Sun, 26 Jan 2025 16:25:16 +0530 Subject: [PATCH] patch(perms): added fine grain roles and added /metrics Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com> --- config/rbac/role.yaml | 79 ++++++++++++++++++- .../controller/clusteraddon_controller.go | 9 ++- 2 files changed, 85 insertions(+), 3 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index d25f3f5..d03472a 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -4,10 +4,70 @@ kind: ClusterRole metadata: name: manager-role rules: +- nonResourceURLs: + - /metrics + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - serviceaccounts + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - - '*' + - coordination.k8s.io resources: - - '*' + - leases verbs: - create - delete @@ -42,3 +102,18 @@ rules: - get - patch - update +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/internal/controller/clusteraddon_controller.go b/internal/controller/clusteraddon_controller.go index ef1b2e2..a017c90 100644 --- a/internal/controller/clusteraddon_controller.go +++ b/internal/controller/clusteraddon_controller.go @@ -43,10 +43,17 @@ type ClusterAddonReconciler struct { const managerFinalizer string = "finalizer.manage.ksctl.com" +// RBAC markers for comprehensive controller management // +kubebuilder:rbac:groups=manage.ksctl.com,resources=clusteraddons,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=manage.ksctl.com,resources=clusteraddons/status,verbs=get;update;patch // +kubebuilder:rbac:groups=manage.ksctl.com,resources=clusteraddons/finalizers,verbs=update -// +kubebuilder:rbac:groups=*,resources=*,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations;mutatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;statefulsets,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="",resources=namespaces;serviceaccounts;services;configmaps;secrets;pods,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:urls=/metrics,verbs=get func (r *ClusterAddonReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { l := log.FromContext(ctx)