From 34c3d922532025e46fa348e239b1136041b92645 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arda=20G=C3=BC=C3=A7l=C3=BC?= Date: Thu, 23 Dec 2021 13:56:25 +0300 Subject: [PATCH] Add pod listing permission to extract pod host IP and remove fieldSelector --- config/rbac/role.yaml | 7 +++++ controllers/provisioning_controller.go | 1 + ...31_cluster-baremetal-operator_05_rbac.yaml | 7 +++++ provisioning/baremetal_pod.go | 29 ++++++++++++++----- 4 files changed, 37 insertions(+), 7 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 64fee0760..b8a362624 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -29,6 +29,13 @@ rules: - list - patch - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list - apiGroups: - admissionregistration.k8s.io resources: diff --git a/controllers/provisioning_controller.go b/controllers/provisioning_controller.go index e94e3e5fc..e9cbe79fa 100644 --- a/controllers/provisioning_controller.go +++ b/controllers/provisioning_controller.go @@ -87,6 +87,7 @@ type ensureFunc func(*provisioning.ProvisioningInfo) (bool, error) // +kubebuilder:rbac:groups=config.openshift.io,resources=clusteroperators;clusteroperators/status,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=config.openshift.io,resources=infrastructures;infrastructures/status,verbs=get // +kubebuilder:rbac:groups="",resources=events,verbs=create;watch;list;patch +// +kubebuilder:rbac:groups="",resources=pods,verbs=list;get // +kubebuilder:rbac:groups="",resources=configmaps;secrets;services,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=metal3.io,resources=provisionings;provisionings/finalizers,verbs=get;list;watch;create;update;patch;delete diff --git a/manifests/0000_31_cluster-baremetal-operator_05_rbac.yaml b/manifests/0000_31_cluster-baremetal-operator_05_rbac.yaml index 33471f9ba..a499de262 100644 --- a/manifests/0000_31_cluster-baremetal-operator_05_rbac.yaml +++ b/manifests/0000_31_cluster-baremetal-operator_05_rbac.yaml @@ -84,6 +84,13 @@ rules: - list - patch - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list - apiGroups: - admissionregistration.k8s.io resources: diff --git a/provisioning/baremetal_pod.go b/provisioning/baremetal_pod.go index 7508edb59..3b10be0e6 100644 --- a/provisioning/baremetal_pod.go +++ b/provisioning/baremetal_pod.go @@ -1063,16 +1063,31 @@ func DeleteMetal3Deployment(info *ProvisioningInfo) error { } func getPodHostIP(podClient coreclientv1.PodsGetter, targetNamespace string) (string, error) { + labelSelector := &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "k8s-app": metal3AppName, + cboLabelName: stateService, + }} + + selector, err := metav1.LabelSelectorAsSelector(labelSelector) + if err != nil { + return "", err + } + listOptions := metav1.ListOptions{ - LabelSelector: metal3AppName, - FieldSelector: "status.hostIP", + LabelSelector: selector.String(), } podList, err := podClient.Pods(targetNamespace).List(context.Background(), listOptions) - if err == nil && len(podList.Items) > 0 { - // We expect only one pod with the above LabelSelector - hostIP := podList.Items[0].Status.HostIP - return hostIP, err + if err != nil { + return "", err + } + + // We expect only one pod with the above LabelSelector + if len(podList.Items) != 1 { + return "", fmt.Errorf("there should be only one pod listed for the given label") } - return "", err + + hostIP := podList.Items[0].Status.HostIP + return hostIP, err }