From c43a6b304a088ac4c5cae3124d6fa9e4eb54dc6b Mon Sep 17 00:00:00 2001 From: Sandhya Dasu Date: Tue, 4 Jan 2022 15:35:29 -0500 Subject: [PATCH] Allow CBO to list Pods only in the openshift-machine-api namespace --- config/rbac/role.yaml | 15 ++++++++------- controllers/provisioning_controller.go | 2 +- ...000_31_cluster-baremetal-operator_05_rbac.yaml | 15 ++++++++------- 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index b8a362624..c1d24987e 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -29,13 +29,6 @@ rules: - list - patch - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - apiGroups: - admissionregistration.k8s.io resources: @@ -234,6 +227,14 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch - apiGroups: - apps resources: diff --git a/controllers/provisioning_controller.go b/controllers/provisioning_controller.go index e9cbe79fa..e806299e3 100644 --- a/controllers/provisioning_controller.go +++ b/controllers/provisioning_controller.go @@ -77,6 +77,7 @@ type ProvisioningReconciler struct { type ensureFunc func(*provisioning.ProvisioningInfo) (bool, error) // +kubebuilder:rbac:namespace=openshift-machine-api,groups="",resources=configmaps;secrets;services,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:namespace=openshift-machine-api,groups="",resources=pods,verbs=get;list;watch // +kubebuilder:rbac:namespace=openshift-machine-api,groups=security.openshift.io,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:namespace=openshift-machine-api,groups=apps,resources=deployments;daemonsets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:namespace=openshift-machine-api,groups=monitoring.coreos.com,resources=servicemonitors,verbs=create;watch;get;list;patch @@ -87,7 +88,6 @@ type ensureFunc func(*provisioning.ProvisioningInfo) (bool, error) // +kubebuilder:rbac:groups=config.openshift.io,resources=clusteroperators;clusteroperators/status,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=config.openshift.io,resources=infrastructures;infrastructures/status,verbs=get // +kubebuilder:rbac:groups="",resources=events,verbs=create;watch;list;patch -// +kubebuilder:rbac:groups="",resources=pods,verbs=list;get // +kubebuilder:rbac:groups="",resources=configmaps;secrets;services,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=metal3.io,resources=provisionings;provisionings/finalizers,verbs=get;list;watch;create;update;patch;delete diff --git a/manifests/0000_31_cluster-baremetal-operator_05_rbac.yaml b/manifests/0000_31_cluster-baremetal-operator_05_rbac.yaml index a499de262..a889282c4 100644 --- a/manifests/0000_31_cluster-baremetal-operator_05_rbac.yaml +++ b/manifests/0000_31_cluster-baremetal-operator_05_rbac.yaml @@ -22,6 +22,14 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch - apiGroups: - apps resources: @@ -84,13 +92,6 @@ rules: - list - patch - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - apiGroups: - admissionregistration.k8s.io resources: