Fix lack of event patching in ClusterRole (kubeflow#887)

* add events * role.yaml * apigroup
magdalenakuhn17 · Jun 17, 2020 · b24ac47 · b24ac47
1 parent a7a5900
commit b24ac47
Show file tree

Hide file tree

Showing 4 changed files with 79 additions and 67 deletions.
diff --git a/Makefile b/Makefile
@@ -91,6 +91,7 @@ undeploy-dev:
 # Generate manifests e.g. CRD, RBAC etc.
 manifests: controller-gen
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=kfserving-manager-role webhook paths=./pkg/apis/... output:crd:dir=config/default/crds/base
+	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=kfserving-manager-role paths=./pkg/controller/inferenceservice/... output:rbac:artifacts:config=config/default/rbac
 	kustomize build config/default/crds -o config/default/crds/base/serving.kubeflow.org_inferenceservices.yaml
 	#TODO Remove this until new controller-tools is released
 	perl -pi -e 's/storedVersions: null/storedVersions: []/g' config/default/crds/base/serving.kubeflow.org_inferenceservices.yaml

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -18,7 +18,7 @@ namespace: kfserving-system
 resources:
 - crds/base/serving.kubeflow.org_inferenceservices.yaml
 - configmap/inferenceservice.yaml
-- rbac/rbac_role.yaml
+- rbac/role.yaml
 - rbac/rbac_role_binding.yaml
 - manager/manager.yaml
 - manager/service.yaml

diff --git a/config/default/rbac/rbac_role.yaml → config/default/rbac/role.yaml b/config/default/rbac/rbac_role.yaml → config/default/rbac/role.yaml
@@ -1,69 +1,64 @@
+
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   creationTimestamp: null
   name: kfserving-manager-role
 rules:
 - apiGroups:
-  - serving.knative.dev
+  - admissionregistration.k8s.io
   resources:
-  - services
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
   verbs:
-  - get
-  - list
-  - watch
   - create
-  - update
-  - patch
   - delete
-- apiGroups:
-  - serving.knative.dev
-  resources:
-  - services/status
-  verbs:
   - get
-  - update
+  - list
   - patch
+  - update
+  - watch
 - apiGroups:
-  - networking.istio.io
+  - ""
   resources:
-  - virtualservices
+  - configmaps
   verbs:
   - get
   - list
   - watch
-  - create
-  - update
-  - patch
-  - delete
 - apiGroups:
-  - networking.istio.io
+  - ""
   resources:
-  - virtualservices/status
+  - events
   verbs:
+  - create
+  - delete
   - get
-  - update
+  - list
   - patch
+  - update
+  - watch
 - apiGroups:
-  - serving.kubeflow.org
+  - ""
   resources:
-  - inferenceservices
+  - namespaces
   verbs:
   - get
   - list
   - watch
-  - create
-  - update
-  - patch
-  - delete
 - apiGroups:
-  - serving.kubeflow.org
+  - ""
   resources:
-  - inferenceservices/status
+  - secrets
   verbs:
+  - create
+  - delete
   - get
-  - update
+  - list
   - patch
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -75,61 +70,72 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - secrets
+  - services
   verbs:
+  - create
+  - delete
   - get
   - list
+  - patch
+  - update
   - watch
 - apiGroups:
-  - ""
+  - networking.istio.io
   resources:
-  - configmaps
+  - virtualservices
   verbs:
+  - create
+  - delete
   - get
   - list
+  - patch
+  - update
   - watch
 - apiGroups:
-  - admissionregistration.k8s.io
+  - networking.istio.io
   resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
+  - virtualservices/status
   verbs:
   - get
-  - list
-  - watch
-  - create
-  - update
   - patch
-  - delete
+  - update
 - apiGroups:
-  - ""
+  - serving.knative.dev
   resources:
-  - secrets
+  - services
   verbs:
+  - create
+  - delete
   - get
   - list
-  - watch
-  - create
-  - update
   - patch
-  - delete
+  - update
+  - watch
 - apiGroups:
-  - ""
+  - serving.knative.dev
   resources:
-  - services
+  - services/status
   verbs:
   - get
-  - list
-  - watch
-  - create
-  - update
   - patch
-  - delete
+  - update
 - apiGroups:
-  - ""
+  - serving.kubeflow.org
   resources:
-  - namespaces
+  - inferenceservices
   verbs:
+  - create
+  - delete
   - get
   - list
+  - patch
+  - update
   - watch
+- apiGroups:
+  - serving.kubeflow.org
+  resources:
+  - inferenceservices/status
+  verbs:
+  - get
+  - patch
+  - update
diff --git a/pkg/controller/inferenceservice/controller.go b/pkg/controller/inferenceservice/controller.go
@@ -14,6 +14,20 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// +kubebuilder:rbac:groups=serving.knative.dev,resources=services,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=serving.knative.dev,resources=services/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=networking.istio.io,resources=virtualservices,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=networking.istio.io,resources=virtualservices/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=serving.kubeflow.org,resources=inferenceservices,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=serving.kubeflow.org,resources=inferenceservices/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch
+// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch
+// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations;validatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch
+// +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;update;patch;delete
+
 package service
 
 import (
@@ -128,15 +142,6 @@ type Reconciler interface {
 
 // Reconcile reads that state of the cluster for a Service object and makes changes based on the state read
 // and what is in the Service.Spec
-// +kubebuilder:rbac:groups=serving.knative.dev,resources=services,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=serving.knative.dev,resources=services/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=networking.istio.io,resources=virtualservices,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=networking.istio.io,resources=virtualservices/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=serving.kubeflow.org,resources=inferenceservices,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=serving.kubeflow.org,resources=inferenceservices/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=,resources=serviceaccounts,verbs=get;list;watch
-// +kubebuilder:rbac:groups=,resources=secrets,verbs=get;list;watch
-// +kubebuilder:rbac:groups=,resources=configmaps,verbs=get;list;watch
 func (r *ReconcileService) Reconcile(request reconcile.Request) (reconcile.Result, error) {
 	// Fetch the InferenceService instance
 	isvc := &kfserving.InferenceService{}