From b24ac477e300e6ed5914bd23d3191c5e1db22c3c Mon Sep 17 00:00:00 2001 From: Ilan Filonenko Date: Wed, 17 Jun 2020 07:40:39 -0700 Subject: [PATCH] Fix lack of event patching in ClusterRole (#887) * add events * role.yaml * apigroup --- Makefile | 1 + config/default/kustomization.yaml | 2 +- .../rbac/{rbac_role.yaml => role.yaml} | 120 +++++++++--------- pkg/controller/inferenceservice/controller.go | 23 ++-- 4 files changed, 79 insertions(+), 67 deletions(-) rename config/default/rbac/{rbac_role.yaml => role.yaml} (96%) diff --git a/Makefile b/Makefile index 4ad692fadc5..2521d26a1cc 100644 --- a/Makefile +++ b/Makefile @@ -91,6 +91,7 @@ undeploy-dev: # Generate manifests e.g. CRD, RBAC etc. manifests: controller-gen $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=kfserving-manager-role webhook paths=./pkg/apis/... output:crd:dir=config/default/crds/base + $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=kfserving-manager-role paths=./pkg/controller/inferenceservice/... output:rbac:artifacts:config=config/default/rbac kustomize build config/default/crds -o config/default/crds/base/serving.kubeflow.org_inferenceservices.yaml #TODO Remove this until new controller-tools is released perl -pi -e 's/storedVersions: null/storedVersions: []/g' config/default/crds/base/serving.kubeflow.org_inferenceservices.yaml diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 97541f1b6ec..7420d7128b7 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -18,7 +18,7 @@ namespace: kfserving-system resources: - crds/base/serving.kubeflow.org_inferenceservices.yaml - configmap/inferenceservice.yaml -- rbac/rbac_role.yaml +- rbac/role.yaml - rbac/rbac_role_binding.yaml - manager/manager.yaml - manager/service.yaml diff --git a/config/default/rbac/rbac_role.yaml b/config/default/rbac/role.yaml similarity index 96% rename from config/default/rbac/rbac_role.yaml rename to config/default/rbac/role.yaml index 1555da0ec7c..e364281734e 100644 --- a/config/default/rbac/rbac_role.yaml +++ b/config/default/rbac/role.yaml @@ -1,3 +1,5 @@ + +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -5,65 +7,58 @@ metadata: name: kfserving-manager-role rules: - apiGroups: - - serving.knative.dev + - admissionregistration.k8s.io resources: - - services + - mutatingwebhookconfigurations + - validatingwebhookconfigurations verbs: - - get - - list - - watch - create - - update - - patch - delete -- apiGroups: - - serving.knative.dev - resources: - - services/status - verbs: - get - - update + - list - patch + - update + - watch - apiGroups: - - networking.istio.io + - "" resources: - - virtualservices + - configmaps verbs: - get - list - watch - - create - - update - - patch - - delete - apiGroups: - - networking.istio.io + - "" resources: - - virtualservices/status + - events verbs: + - create + - delete - get - - update + - list - patch + - update + - watch - apiGroups: - - serving.kubeflow.org + - "" resources: - - inferenceservices + - namespaces verbs: - get - list - watch - - create - - update - - patch - - delete - apiGroups: - - serving.kubeflow.org + - "" resources: - - inferenceservices/status + - secrets verbs: + - create + - delete - get - - update + - list - patch + - update + - watch - apiGroups: - "" resources: @@ -75,61 +70,72 @@ rules: - apiGroups: - "" resources: - - secrets + - services verbs: + - create + - delete - get - list + - patch + - update - watch - apiGroups: - - "" + - networking.istio.io resources: - - configmaps + - virtualservices verbs: + - create + - delete - get - list + - patch + - update - watch - apiGroups: - - admissionregistration.k8s.io + - networking.istio.io resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations + - virtualservices/status verbs: - get - - list - - watch - - create - - update - patch - - delete + - update - apiGroups: - - "" + - serving.knative.dev resources: - - secrets + - services verbs: + - create + - delete - get - list - - watch - - create - - update - patch - - delete + - update + - watch - apiGroups: - - "" + - serving.knative.dev resources: - - services + - services/status verbs: - get - - list - - watch - - create - - update - patch - - delete + - update - apiGroups: - - "" + - serving.kubeflow.org resources: - - namespaces + - inferenceservices verbs: + - create + - delete - get - list + - patch + - update - watch +- apiGroups: + - serving.kubeflow.org + resources: + - inferenceservices/status + verbs: + - get + - patch + - update diff --git a/pkg/controller/inferenceservice/controller.go b/pkg/controller/inferenceservice/controller.go index 6a1a0102af8..41d31d672fa 100644 --- a/pkg/controller/inferenceservice/controller.go +++ b/pkg/controller/inferenceservice/controller.go @@ -14,6 +14,20 @@ See the License for the specific language governing permissions and limitations under the License. */ +// +kubebuilder:rbac:groups=serving.knative.dev,resources=services,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=serving.knative.dev,resources=services/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=networking.istio.io,resources=virtualservices,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=networking.istio.io,resources=virtualservices/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=serving.kubeflow.org,resources=inferenceservices,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=serving.kubeflow.org,resources=inferenceservices/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch +// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch +// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations;validatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch +// +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;update;patch;delete + package service import ( @@ -128,15 +142,6 @@ type Reconciler interface { // Reconcile reads that state of the cluster for a Service object and makes changes based on the state read // and what is in the Service.Spec -// +kubebuilder:rbac:groups=serving.knative.dev,resources=services,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=serving.knative.dev,resources=services/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=networking.istio.io,resources=virtualservices,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=networking.istio.io,resources=virtualservices/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=serving.kubeflow.org,resources=inferenceservices,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=serving.kubeflow.org,resources=inferenceservices/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=,resources=serviceaccounts,verbs=get;list;watch -// +kubebuilder:rbac:groups=,resources=secrets,verbs=get;list;watch -// +kubebuilder:rbac:groups=,resources=configmaps,verbs=get;list;watch func (r *ReconcileService) Reconcile(request reconcile.Request) (reconcile.Result, error) { // Fetch the InferenceService instance isvc := &kfserving.InferenceService{}