diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index eb4c416e902..619225b7be3 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -91,14 +91,6 @@ rules: - get - list - watch -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - get - - list - - watch - apiGroups: - apps resources: @@ -123,30 +115,6 @@ rules: - statefulsets verbs: - '*' -- apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs/instantiate - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - argoproj.io resources: @@ -482,16 +450,24 @@ rules: resources: - secrets verbs: - - '*' - create - - get + - delete + - list + - patch + - update - watch - apiGroups: - "" resources: - secrets/finalizers verbs: - - '*' + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - "" resources: @@ -1028,10 +1004,13 @@ rules: resources: - oauthclients verbs: - - '*' - create - delete - get + - list + - patch + - update + - watch - apiGroups: - opendatahub.io resources: diff --git a/controllers/datasciencecluster/datasciencecluster_controller.go b/controllers/datasciencecluster/datasciencecluster_controller.go index b9e19ae5588..4b50bf4f9c8 100644 --- a/controllers/datasciencecluster/datasciencecluster_controller.go +++ b/controllers/datasciencecluster/datasciencecluster_controller.go @@ -27,7 +27,6 @@ import ( "github.com/go-logr/logr" "github.com/hashicorp/go-multierror" - ocappsv1 "github.com/openshift/api/apps/v1" ocbuildv1 "github.com/openshift/api/build/v1" ocimgv1 "github.com/openshift/api/image/v1" v1 "github.com/openshift/api/operator/v1" @@ -391,13 +390,10 @@ func (r *DataScienceClusterReconciler) SetupWithManager(mgr ctrl.Manager) error Owns(&authv1.ClusterRole{}, builder.WithPredicates(predicate.Or(predicate.GenerationChangedPredicate{}, modelMeshRolePredicates))). Owns(&authv1.ClusterRoleBinding{}, builder.WithPredicates(predicate.Or(predicate.GenerationChangedPredicate{}, modelMeshRBPredicates))). Owns(&appsv1.Deployment{}). - Owns(&appsv1.ReplicaSet{}). - Owns(&corev1.Pod{}). Owns(&corev1.PersistentVolumeClaim{}). Owns(&corev1.Service{}, builder.WithPredicates(predicate.Or(predicate.GenerationChangedPredicate{}, modelMeshGeneralPredicates))). - Owns(&appsv1.DaemonSet{}). + Owns(&corev1.Service{}). Owns(&appsv1.StatefulSet{}). - Owns(&ocappsv1.DeploymentConfig{}). Owns(&ocimgv1.ImageStream{}). Owns(&ocbuildv1.BuildConfig{}). Owns(&apiregistrationv1.APIService{}). diff --git a/controllers/datasciencecluster/kubebuilder_rbac.go b/controllers/datasciencecluster/kubebuilder_rbac.go index 6dbfaba89fe..ed41ca97013 100644 --- a/controllers/datasciencecluster/kubebuilder_rbac.go +++ b/controllers/datasciencecluster/kubebuilder_rbac.go @@ -35,8 +35,6 @@ package datasciencecluster /* This is for operator */ // +kubebuilder:rbac:groups="apiregistration.k8s.io",resources=apiservices,verbs=get;list;watch -// +kubebuilder:rbac:groups="apps",resources=daemonsets,verbs=get;list;watch - // +kubebuilder:rbac:groups="operators.coreos.com",resources=catalogsources,verbs=get;list;watch // +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch @@ -90,7 +88,7 @@ package datasciencecluster // +kubebuilder:rbac:groups="operator.openshift.io",resources=consoles,verbs=list;watch;patch;delete -// +kubebuilder:rbac:groups="oauth.openshift.io",resources=oauthclients,verbs=* +// +kubebuilder:rbac:groups="oauth.openshift.io",resources=oauthclients,verbs=create;delete;list;watch;update;patch;get // +kubebuilder:rbac:groups="networking.k8s.io",resources=networkpolicies,verbs=get;create;list;watch;delete;update;patch // +kubebuilder:rbac:groups="networking.k8s.io",resources=ingresses,verbs=create;delete;list;update;watch;patch;get @@ -166,7 +164,8 @@ package datasciencecluster // +kubebuilder:rbac:groups="core",resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups="core",resources=secrets,verbs=* +// +kubebuilder:rbac:groups="core",resources=secrets,verbs=create;delete;list;update;watch;patch +// +kubebuilder:rbac:groups="core",resources=secrets/finalizers,verbs=get;create;watch;update;patch;list;delete // +kubebuilder:rbac:groups="core",resources=rhmis,verbs=watch;list @@ -200,6 +199,7 @@ package datasciencecluster // +kubebuilder:rbac:groups="cert-manager.io",resources=certificates;issuers,verbs=create;patch +// OpenVino still need buildconfig // +kubebuilder:rbac:groups="build.openshift.io",resources=builds,verbs=create;patch;delete;list;watch // +kubebuilder:rbac:groups="build.openshift.io",resources=buildconfigs/instantiate,verbs=create;patch;delete;get;list;watch // +kubebuilder:rbac:groups="build.openshift.io",resources=buildconfigs,verbs=list;watch;create;patch;delete @@ -230,9 +230,6 @@ package datasciencecluster // +kubebuilder:rbac:groups="*",resources=deployments,verbs=* // +kubebuilder:rbac:groups="extensions",resources=deployments,verbs=* -// +kubebuilder:rbac:groups="apps.openshift.io",resources=deploymentconfigs,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups="apps.openshift.io",resources=deploymentconfigs/instantiate,verbs=get;list;watch;create;update;patch;delete - // +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch;create;patch;delete // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;create;update;delete;patch diff --git a/controllers/dscinitialization/dscinitialization_controller.go b/controllers/dscinitialization/dscinitialization_controller.go index 7000fe2656a..71cc7819aa4 100644 --- a/controllers/dscinitialization/dscinitialization_controller.go +++ b/controllers/dscinitialization/dscinitialization_controller.go @@ -283,8 +283,6 @@ func (r *DSCInitializationReconciler) SetupWithManager(mgr ctrl.Manager) error { Owns(&authv1.ClusterRole{}, builder.WithPredicates(predicate.Or(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}))). Owns(&authv1.ClusterRoleBinding{}, builder.WithPredicates(predicate.Or(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}))). Owns(&appsv1.Deployment{}, builder.WithPredicates(predicate.Or(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}))). - Owns(&appsv1.ReplicaSet{}, builder.WithPredicates(predicate.Or(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}))). - Owns(&corev1.Pod{}, builder.WithPredicates(predicate.Or(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}))). Owns(&corev1.ServiceAccount{}, builder.WithPredicates(predicate.Or(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}))). Owns(&corev1.Service{}, builder.WithPredicates(predicate.Or(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}))). Owns(&routev1.Route{}, builder.WithPredicates(predicate.Or(predicate.GenerationChangedPredicate{}, predicate.LabelChangedPredicate{}))). diff --git a/controllers/secretgenerator/secretgenerator_controller.go b/controllers/secretgenerator/secretgenerator_controller.go index 1b0464d1090..4d84ccf2dd3 100644 --- a/controllers/secretgenerator/secretgenerator_controller.go +++ b/controllers/secretgenerator/secretgenerator_controller.go @@ -49,11 +49,6 @@ const ( var secGenLog = log.Log.WithName("secret-generator") -// +kubebuilder:rbac:groups="oauth.openshift.io",resources=oauthclients,verbs=create;delete;get -// +kubebuilder:rbac:groups="core",resources=secrets,verbs=watch;get;create -// +kubebuilder:rbac:groups="route.openshift.io",resources=routes,verbs=get -// +kubebuilder:rbac:groups="core",resources=secrets/finalizers,verbs=* - // SecretGeneratorReconciler holds the controller configuration. type SecretGeneratorReconciler struct { Client client.Client