diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 1805a2e1..3c88b378 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -13,45 +13,3 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml - -# needed for nfd-worker -# this patch is needed given that -# +kubebuilder does not allow resourceNames -patchesJSON6902: -- target: - kind: ClusterRole - name: manager-role - patch: |- - - op: add - path: /rules/0 - value: - apiGroups: - - policy - resources: - - podsecuritypolicies - verbs: - - use - resourceNames: - - nfd-worker - - op: add - path: /rules/1 - value: - apiGroups: - - nfd.k8s-sigs.io - resources: - - nodefeaturerules - verbs: - - get - - list - - watch - - op: add - path: /rules/2 - value: - apiGroups: - - topology.node.k8s.io - resources: - - noderesourcetopologies - verbs: - - create - - get - - update \ No newline at end of file diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 8bd629d3..47573547 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -5,6 +5,14 @@ metadata: creationTimestamp: null name: manager-role rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - update + - watch - apiGroups: - apps resources: @@ -30,56 +38,44 @@ rules: - update - watch - apiGroups: - - coordination.k8s.io + - cert-manager.io resources: - - leases + - certificates verbs: - - create - - delete - get - list - - update - watch - apiGroups: - - "" + - cert-manager.io resources: - - configmaps + - issuers verbs: - - create - - delete - get - list - - patch - - update - watch - apiGroups: - - "" + - coordination.k8s.io resources: - - endpoints + - leases verbs: - create - delete - get - list - - patch - update - watch - apiGroups: - "" resources: - - events + - configmaps verbs: - create + - delete + - get - list - patch - update - watch -- apiGroups: - - "" - resources: - - imagestreams/layers - verbs: - - get - apiGroups: - "" resources: @@ -97,8 +93,6 @@ rules: resources: - nodes verbs: - - create - - delete - get - list - patch @@ -112,25 +106,6 @@ rules: - get - patch - update -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - create - - delete - - get - - list - - watch - apiGroups: - "" resources: @@ -143,24 +118,6 @@ rules: - patch - update - watch -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - "" resources: @@ -186,55 +143,21 @@ rules: - update - watch - apiGroups: - - monitoring.coreos.com - resources: - - prometheusrules - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - nfd.kubernetes.io + - nfd.k8s-sigs.io resources: - - nodefeaturediscoveries + - nodefeaturerules verbs: - - create - - delete - get - list - - patch - - update - watch - apiGroups: - - nfd.kubernetes.io + - policy + resourceNames: + - nfd-worker resources: - - nodefeaturediscoveries/finalizers + - podsecuritypolicies verbs: - - update -- apiGroups: - - nfd.kubernetes.io - resources: - - nodefeaturediscoveries/status - verbs: - - get - - patch - - update + - use - apiGroups: - rbac.authorization.k8s.io resources: @@ -284,28 +207,10 @@ rules: - update - watch - apiGroups: - - storage.k8s.io + - topology.node.k8s.io resources: - - csidrivers + - noderesourcetopologies verbs: - create - - delete - get - - list - - patch - update - - watch -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - watch diff --git a/controllers/nodefeaturediscovery_controller.go b/controllers/nodefeaturediscovery_controller.go index e814d1a9..6a4dcdf8 100644 --- a/controllers/nodefeaturediscovery_controller.go +++ b/controllers/nodefeaturediscovery_controller.go @@ -97,35 +97,28 @@ func validateUpdateEvent(e *event.UpdateEvent) bool { return true } -// +kubebuilder:rbac:groups=nfd.kubernetes.io,resources=nodefeaturediscoveries,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=nfd.kubernetes.io,resources=nodefeaturediscoveries/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=nfd.kubernetes.io,resources=nodefeaturediscoveries/finalizers,verbs=update +// +kubebuilder:rbac:groups=core,resources=nodes,verbs=update +// +kubebuilder:rbac:groups=core,resources=nodes/status,verbs=get;patch;update // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=core,resources=pods/log,verbs=get // +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=core,resources=imagestreams/layers,verbs=get // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=core,resources=events,verbs=list;watch;create;update;patch -// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;list;watch;update; -// +kubebuilder:rbac:groups=core,resources=persistentvolumes,verbs=get;list;watch;create;delete // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;delete -// +kubebuilder:rbac:groups=storage.k8s.io,resources=csinodes,verbs=get;list;watch -// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=watch -// +kubebuilder:rbac:groups=storage.k8s.io,resources=csidrivers,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=core,resources=endpoints,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=prometheusrules,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="",resources=events,verbs=create;watch;update +// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;patch +// +kubebuilder:rbac:groups=policy,resources=podsecuritypolicies,verbs=use,resourceNames=nfd-worker +// +kubebuilder:rbac:groups=cert-manager.io,resources=issuers,verbs=get;list;watch +// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates,verbs=get;list;watch +// +kubebuilder:rbac:groups=topology.node.k8s.io,resources=noderesourcetopologies,verbs=create;update;get +// +kubebuilder:rbac:groups=nfd.k8s-sigs.io,resources=nodefeaturerules,verbs=get;list;watch // Reconcile is part of the main kubernetes reconciliation loop which aims // to move the current state of the cluster closer to the desired state.