diff --git a/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml b/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml index 67c75ada709..aade3b634e6 100644 --- a/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml +++ b/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml @@ -9,9 +9,6 @@ metadata: "kind": "OdhQuickStart", "metadata": { "annotations": { - "internal.config.kubernetes.io/previousKinds": "OdhQuickStart", - "internal.config.kubernetes.io/previousNames": "create-jupyter-notebook", - "internal.config.kubernetes.io/previousNamespaces": "default", "opendatahub.io/categories": "Getting started,Notebook environments" }, "labels": { @@ -316,26 +313,13 @@ spec: - patch - update - watch - - apiGroups: - - admissionregistration.k8s.io/v1 - resources: - - mutatingwebhookconfigurations - verbs: - - create - - get - - apiGroups: - - admissionregistration.k8s.io/v1 - resources: - - validatingwebhookconfigurations - verbs: - - create - - get - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - create + - delete - get - list - patch @@ -351,25 +335,13 @@ spec: resources: - deployments/finalizers verbs: - - create - - delete - - list - - patch - - update - - watch + - '*' - apiGroups: - apps resources: - replicasets verbs: - '*' - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - apps resources: @@ -380,6 +352,17 @@ spec: - apps.openshift.io resources: - deploymentconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps.openshift.io + resources: - deploymentconfigs/instantiate verbs: - create @@ -435,6 +418,7 @@ spec: resources: - machineautoscalers verbs: + - delete - list - patch - apiGroups: @@ -442,6 +426,7 @@ spec: resources: - machinesets verbs: + - delete - list - patch - apiGroups: @@ -541,6 +526,7 @@ spec: - consolelinks verbs: - create + - delete - get - patch - apiGroups: @@ -549,6 +535,7 @@ spec: - odhquickstarts verbs: - create + - delete - get - list - patch @@ -558,6 +545,7 @@ spec: - controllermanagerconfigs verbs: - create + - delete - get - patch - apiGroups: @@ -585,27 +573,25 @@ spec: - configmaps verbs: - create + - delete - get + - patch - watch - apiGroups: - "" resources: - configmaps/status verbs: + - delete - get + - patch - update - apiGroups: - "" resources: - deployments verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - '*' - apiGroups: - "" resources: @@ -641,6 +627,7 @@ spec: resources: - namespaces/finalizers verbs: + - delete - list - patch - update @@ -730,6 +717,7 @@ spec: - create - delete - list + - patch - update - watch - apiGroups: @@ -744,6 +732,7 @@ spec: - odhapplications verbs: - create + - delete - get - list - patch @@ -753,6 +742,7 @@ spec: - odhdocuments verbs: - create + - delete - get - list - patch @@ -826,13 +816,14 @@ spec: - dscinitializations/finalizers verbs: - get - - patch + - patchdelete - update - apiGroups: - dscinitialization.opendatahub.io resources: - dscinitializations/status verbs: + - delete - get - patch - update @@ -841,6 +832,7 @@ spec: resources: - events verbs: + - delete - list - patch - watch @@ -855,6 +847,7 @@ spec: resources: - ingresses verbs: + - delete - list - patch - watch @@ -880,6 +873,7 @@ spec: resources: - rhmis verbs: + - delete - list - patch - watch @@ -888,6 +882,7 @@ spec: resources: - kfdefs verbs: + - delete - get - list - patch @@ -903,6 +898,7 @@ spec: resources: - machineautoscalers verbs: + - delete - list - patch - apiGroups: @@ -910,6 +906,7 @@ spec: resources: - machinesets verbs: + - delete - list - patch - apiGroups: @@ -942,6 +939,7 @@ spec: - prometheusrules verbs: - create + - delete - get - patch - apiGroups: @@ -979,6 +977,7 @@ spec: resources: - virtualservices/status verbs: + - delete - patch - update - apiGroups: @@ -1030,6 +1029,7 @@ spec: resources: - consoles verbs: + - delete - list - patch - watch @@ -1047,7 +1047,9 @@ spec: - customresourcedefinitions verbs: - create + - delete - get + - patch - apiGroups: - operators.coreos.com resources: @@ -1093,47 +1095,24 @@ spec: - clusterrolebindings verbs: - '*' - - create - - delete - - get - - list - - update - - watch - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles verbs: - '*' - - create - - get - - update - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings verbs: - '*' - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - rbac.authorization.k8s.io resources: - roles verbs: - '*' - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - route.openshift.io resources: @@ -1195,6 +1174,7 @@ spec: resources: - services/status verbs: + - delete - patch - update - apiGroups: @@ -1224,6 +1204,7 @@ spec: resources: - clusterservingruntimes/status verbs: + - delete - patch - update - apiGroups: @@ -1242,6 +1223,7 @@ spec: resources: - inferencegraphs/status verbs: + - delete - patch - update - apiGroups: @@ -1271,6 +1253,7 @@ spec: resources: - inferenceservices/status verbs: + - delete - patch - update - apiGroups: @@ -1296,6 +1279,7 @@ spec: resources: - predictors/status verbs: + - delete - patch - update - apiGroups: @@ -1338,6 +1322,7 @@ spec: resources: - trainedmodels/status verbs: + - delete - patch - update - apiGroups: @@ -1366,14 +1351,17 @@ spec: - groups verbs: - create + - delete - get - list + - patch - watch - apiGroups: - user.openshift.io resources: - users verbs: + - delete - list - patch - watch diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 941d1710a33..ea454d7063d 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -72,26 +72,13 @@ rules: - patch - update - watch -- apiGroups: - - admissionregistration.k8s.io/v1 - resources: - - mutatingwebhookconfigurations - verbs: - - create - - get -- apiGroups: - - admissionregistration.k8s.io/v1 - resources: - - validatingwebhookconfigurations - verbs: - - create - - get - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - create + - delete - get - list - patch @@ -107,25 +94,13 @@ rules: resources: - deployments/finalizers verbs: - - create - - delete - - list - - patch - - update - - watch + - '*' - apiGroups: - apps resources: - replicasets verbs: - '*' - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - apps resources: @@ -136,6 +111,17 @@ rules: - apps.openshift.io resources: - deploymentconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps.openshift.io + resources: - deploymentconfigs/instantiate verbs: - create @@ -191,6 +177,7 @@ rules: resources: - machineautoscalers verbs: + - delete - list - patch - apiGroups: @@ -198,6 +185,7 @@ rules: resources: - machinesets verbs: + - delete - list - patch - apiGroups: @@ -297,6 +285,7 @@ rules: - consolelinks verbs: - create + - delete - get - patch - apiGroups: @@ -305,6 +294,7 @@ rules: - odhquickstarts verbs: - create + - delete - get - list - patch @@ -314,6 +304,7 @@ rules: - controllermanagerconfigs verbs: - create + - delete - get - patch - apiGroups: @@ -341,27 +332,25 @@ rules: - configmaps verbs: - create + - delete - get + - patch - watch - apiGroups: - "" resources: - configmaps/status verbs: + - delete - get + - patch - update - apiGroups: - "" resources: - deployments verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - '*' - apiGroups: - "" resources: @@ -397,6 +386,7 @@ rules: resources: - namespaces/finalizers verbs: + - delete - list - patch - update @@ -486,6 +476,7 @@ rules: - create - delete - list + - patch - update - watch - apiGroups: @@ -500,6 +491,7 @@ rules: - odhapplications verbs: - create + - delete - get - list - patch @@ -509,6 +501,7 @@ rules: - odhdocuments verbs: - create + - delete - get - list - patch @@ -582,13 +575,14 @@ rules: - dscinitializations/finalizers verbs: - get - - patch + - patchdelete - update - apiGroups: - dscinitialization.opendatahub.io resources: - dscinitializations/status verbs: + - delete - get - patch - update @@ -597,6 +591,7 @@ rules: resources: - events verbs: + - delete - list - patch - watch @@ -611,6 +606,7 @@ rules: resources: - ingresses verbs: + - delete - list - patch - watch @@ -636,6 +632,7 @@ rules: resources: - rhmis verbs: + - delete - list - patch - watch @@ -644,6 +641,7 @@ rules: resources: - kfdefs verbs: + - delete - get - list - patch @@ -659,6 +657,7 @@ rules: resources: - machineautoscalers verbs: + - delete - list - patch - apiGroups: @@ -666,6 +665,7 @@ rules: resources: - machinesets verbs: + - delete - list - patch - apiGroups: @@ -698,6 +698,7 @@ rules: - prometheusrules verbs: - create + - delete - get - patch - apiGroups: @@ -735,6 +736,7 @@ rules: resources: - virtualservices/status verbs: + - delete - patch - update - apiGroups: @@ -786,6 +788,7 @@ rules: resources: - consoles verbs: + - delete - list - patch - watch @@ -803,7 +806,9 @@ rules: - customresourcedefinitions verbs: - create + - delete - get + - patch - apiGroups: - operators.coreos.com resources: @@ -849,47 +854,24 @@ rules: - clusterrolebindings verbs: - '*' - - create - - delete - - get - - list - - update - - watch - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles verbs: - '*' - - create - - get - - update - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings verbs: - '*' - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - rbac.authorization.k8s.io resources: - roles verbs: - '*' - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - route.openshift.io resources: @@ -951,6 +933,7 @@ rules: resources: - services/status verbs: + - delete - patch - update - apiGroups: @@ -980,6 +963,7 @@ rules: resources: - clusterservingruntimes/status verbs: + - delete - patch - update - apiGroups: @@ -998,6 +982,7 @@ rules: resources: - inferencegraphs/status verbs: + - delete - patch - update - apiGroups: @@ -1027,6 +1012,7 @@ rules: resources: - inferenceservices/status verbs: + - delete - patch - update - apiGroups: @@ -1052,6 +1038,7 @@ rules: resources: - predictors/status verbs: + - delete - patch - update - apiGroups: @@ -1094,6 +1081,7 @@ rules: resources: - trainedmodels/status verbs: + - delete - patch - update - apiGroups: @@ -1122,14 +1110,17 @@ rules: - groups verbs: - create + - delete - get - list + - patch - watch - apiGroups: - user.openshift.io resources: - users verbs: + - delete - list - patch - watch diff --git a/controllers/datasciencecluster/datasciencecluster_controller.go b/controllers/datasciencecluster/datasciencecluster_controller.go index 6bc78645320..a51c51f6144 100644 --- a/controllers/datasciencecluster/datasciencecluster_controller.go +++ b/controllers/datasciencecluster/datasciencecluster_controller.go @@ -70,92 +70,149 @@ type DataScienceClusterReconciler struct { //+kubebuilder:rbac:groups="datasciencecluster.opendatahub.io",resources=datascienceclusters/finalizers,verbs=update;patch //+kubebuilder:rbac:groups="datasciencecluster.opendatahub.io",resources=datascienceclusters,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch;create;patch +// +kubebuilder:rbac:groups="opendatahub.io",resources=odhdashboardconfigs,verbs=create;get;patch;watch;update;delete;list +// +kubebuilder:rbac:groups="console.openshift.io",resources=odhquickstarts,verbs=create;get;patch;list;delete +// +kubebuilder:rbac:groups="dashboard.opendatahub.io",resources=odhdocuments,verbs=create;get;patch;list;delete +// +kubebuilder:rbac:groups="dashboard.opendatahub.io",resources=odhapplications,verbs=create;get;patch;list;delete +// +kubebuilder:rbac:groups="console.openshift.io",resources=consolelinks,verbs=create;get;patch;delete -// +kubebuilder:rbac:groups="user.openshift.io",resources=users,verbs=list;watch;patch +// +kubebuilder:rbac:groups=operators.coreos.com,resources=clusterserviceversions,verbs=get;list;watch + +// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch +// +kubebuilder:rbac:groups="operators.coreos.com",resources=customresourcedefinitions,verbs=create;get;patch;delete + +// +kubebuilder:rbac:groups="user.openshift.io",resources=users,verbs=list;watch;patch;delete +// +kubebuilder:rbac:groups="user.openshift.io",resources=groups,verbs=get;create;list;watch;patch;delete + +// +kubebuilder:rbac:groups="template.openshift.io",resources=templates,verbs=* // +kubebuilder:rbac:groups="tekton.dev",resources=*,verbs=* // +kubebuilder:rbac:groups="snapshot.storage.k8s.io",resources=volumesnapshots,verbs=create;delete;patch -// +kubebuilder:rbac:groups="serving.kserve.io",resources=trainedmodels/status,verbs=update;patch +// +kubebuilder:rbac:groups="serving.kserve.io",resources=trainedmodels/status,verbs=update;patch;delete // +kubebuilder:rbac:groups="serving.kserve.io",resources=trainedmodels,verbs=create;delete;list;update;watch;patch // +kubebuilder:rbac:groups="serving.kserve.io",resources=servingruntimes/status,verbs=update;patch // +kubebuilder:rbac:groups="serving.kserve.io",resources=servingruntimes/finalizers,verbs=create;delete;list;update;watch;patch // +kubebuilder:rbac:groups="serving.kserve.io",resources=servingruntimes,verbs=* -// +kubebuilder:rbac:groups="serving.kserve.io",resources=predictors/status,verbs=update;patch +// +kubebuilder:rbac:groups="serving.kserve.io",resources=predictors/status,verbs=update;patch;delete // +kubebuilder:rbac:groups="serving.kserve.io",resources=predictors/finalizers,verbs=update;patch // +kubebuilder:rbac:groups="serving.kserve.io",resources=predictors,verbs=create;delete;list;update;watch;patch -// +kubebuilder:rbac:groups="serving.kserve.io",resources=inferenceservices/status,verbs=update;patch +// +kubebuilder:rbac:groups="serving.kserve.io",resources=inferenceservices/status,verbs=update;patch;delete // +kubebuilder:rbac:groups="serving.kserve.io",resources=inferenceservices/finalizers,verbs=create;delete;list;update;watch;patch // +kubebuilder:rbac:groups="serving.kserve.io",resources=inferenceservices,verbs=create;delete;list;update;watch;patch -// +kubebuilder:rbac:groups="serving.kserve.io",resources=inferencegraphs/status,verbs=update;patch +// +kubebuilder:rbac:groups="serving.kserve.io",resources=inferencegraphs/status,verbs=update;patch;delete // +kubebuilder:rbac:groups="serving.kserve.io",resources=inferencegraphs,verbs=create;delete;list;update;watch;patch -// +kubebuilder:rbac:groups="serving.kserve.io",resources=clusterservingruntimes/status,verbs=update;patch +// +kubebuilder:rbac:groups="serving.kserve.io",resources=clusterservingruntimes/status,verbs=update;patch;delete // +kubebuilder:rbac:groups="serving.kserve.io",resources=clusterservingruntimes/finalizers,verbs=create;delete;list;update;watch;patch // +kubebuilder:rbac:groups="serving.kserve.io",resources=clusterservingruntimes,verbs=create;delete;list;update;watch;patch -// +kubebuilder:rbac:groups="serving.knative.dev",resources=services/status,verbs=update;patch +// +kubebuilder:rbac:groups="serving.knative.dev",resources=services/status,verbs=update;patch;delete // +kubebuilder:rbac:groups="serving.knative.dev",resources=services/finalizers,verbs=create;delete;list;watch;update;patch // +kubebuilder:rbac:groups="serving.knative.dev",resources=services,verbs=create;delete;list;watch;update;patch // +kubebuilder:rbac:groups="security.openshift.io",resources=securitycontextconstraints,verbs=*,resourceNames=restricted +// +kubebuilder:rbac:groups="security.openshift.io",resources=securitycontextconstraints,verbs=*,resourceNames=anyuid // +kubebuilder:rbac:groups="security.openshift.io",resources=securitycontextconstraints,verbs=* -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=patch;delete -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=list;watch;create;update;patch +// +kubebuilder:rbac:groups="route.openshift.io",resources=routes,verbs=get;list;watch;create;delete;update;patch + +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=* + +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=* + // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=clusterroles,verbs=* +// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=clusterrolebindings,verbs=* + // +kubebuilder:rbac:groups="ray.io",resources=rayservices,verbs=create;delete;list;watch;update;patch // +kubebuilder:rbac:groups="ray.io",resources=rayjobs,verbs=create;delete;list;update;watch;patch // +kubebuilder:rbac:groups="ray.io",resources=rayclusters,verbs=create;delete;list;patch -// +kubebuilder:rbac:groups="operator.openshift.io",resources=consoles,verbs=list;watch;patch +// +kubebuilder:rbac:groups="operators.coreos.com",resources=subscriptions,verbs=get;list;watch + +// +kubebuilder:rbac:groups="operator.openshift.io",resources=consoles,verbs=list;watch;patch;delete + // +kubebuilder:rbac:groups="oauth.openshift.io",resources=oauthclients,verbs=* +// +kubebuilder:rbac:groups="networking.k8s.io",resources=networkpolicies,verbs=get;create;list;watch;delete;update;patch // +kubebuilder:rbac:groups="networking.k8s.io",resources=ingresses,verbs=create;delete;list;update;watch;patch -// +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices/status,verbs=update;patch + +// +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices/status,verbs=update;patch;delete // +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices/finalizers,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices,verbs=* +// +kubebuilder:rbac:groups="monitoring.coreos.com",resources=servicemonitors,verbs=get;create;delete;update;watch;list;patch +// +kubebuilder:rbac:groups="monitoring.coreos.com",resources=prometheusrules,verbs=get;create;patch;delete +// +kubebuilder:rbac:groups="monitoring.coreos.com",resources=prometheuses,verbs=get;create;patch;delete + // +kubebuilder:rbac:groups="mcad.ibm.com",resources=appwrappers,verbs=create;delete;list;patch // +kubebuilder:rbac:groups="machinelearning.seldon.io",resources=seldondeployments,verbs=* -// +kubebuilder:rbac:groups="machine.openshift.io",resources=machinesets,verbs=list;patch -// +kubebuilder:rbac:groups="machine.openshift.io",resources=machineautoscalers,verbs=list;patch + +// +kubebuilder:rbac:groups="machine.openshift.io",resources=machinesets,verbs=list;patch;delete +// +kubebuilder:rbac:groups="machine.openshift.io",resources=machineautoscalers,verbs=list;patch;delete // +kubebuilder:rbac:groups="kubeflow.org",resources=*,verbs=* -// +kubebuilder:rbac:groups="kfdef.apps.kubeflow.org",resources=kfdefs,verbs=get;list;watch;patch +// +kubebuilder:rbac:groups="kfdef.apps.kubeflow.org",resources=kfdefs,verbs=get;list;watch;patch;delete -// +kubebuilder:rbac:groups="integreatly.org",resources=rhmis,verbs=list;watch;patch +// +kubebuilder:rbac:groups="integreatly.org",resources=rhmis,verbs=list;watch;patch;delete -// +kubebuilder:rbac:groups="image.openshift.io",resources=imagestreams,verbs=create;list;watch;patch +// +kubebuilder:rbac:groups="image.openshift.io",resources=imagestreams,verbs=patch;create;update;delete +// +kubebuilder:rbac:groups="image.openshift.io",resources=imagestreams,verbs=create;list;watch;patch;delete // +kubebuilder:rbac:groups="extensions",resources=replicasets,verbs=* -// +kubebuilder:rbac:groups="extensions",resources=ingresses,verbs=list;watch;patch -// +kubebuilder:rbac:groups="extensions",resources=deployments,verbs=* +// +kubebuilder:rbac:groups="extensions",resources=ingresses,verbs=list;watch;patch;delete -// +kubebuilder:rbac:groups="events.k8s.io",resources=events,verbs=list;watch;patch +// +kubebuilder:rbac:groups="dscinitialization.opendatahub.io",resources=dscinitializations/status,verbs=get;update;patch;delete +// +kubebuilder:rbac:groups="dscinitialization.opendatahub.io",resources=dscinitializations/finalizers,verbs=get;update;patchdelete +// +kubebuilder:rbac:groups="dscinitialization.opendatahub.io",resources=dscinitializations,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups="custom.tekton.dev",resources=pipelineloops,verbs=* -// +kubebuilder:rbac:groups="coordination.k8s.io",resources=leases,verbs=get;list;watch;create;update;patch;delete - -// +kubebuilder:rbac:groups="core",resources=services/finalizers,verbs=create;delete;list;update;watch +// +kubebuilder:rbac:groups="core",resources=services/finalizers,verbs=create;delete;list;update;watch;patch +// +kubebuilder:rbac:groups="core",resources=services,verbs=get;create;watch;update;patch;list;delete // +kubebuilder:rbac:groups="core",resources=services,verbs=* +// +kubebuilder:rbac:groups="*",resources=services,verbs=* + +// +kubebuilder:rbac:groups="core",resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete + // +kubebuilder:rbac:groups="core",resources=secrets,verbs=* + // +kubebuilder:rbac:groups="core",resources=rhmis,verbs=watch;list + +// +kubebuilder:rbac:groups="core",resources=pods/log,verbs=* +// +kubebuilder:rbac:groups="core",resources=pods/exec,verbs=* +// +kubebuilder:rbac:groups="core",resources=pods,verbs=* + // +kubebuilder:rbac:groups="core",resources=persistentvolumes,verbs=* // +kubebuilder:rbac:groups="core",resources=persistentvolumeclaims,verbs=* -// +kubebuilder:rbac:groups="core",resources=namespaces/finalizers,verbs=update;list;watch;patch -// +kubebuilder:rbac:groups="core",resources=namespaces,verbs=update;patch + +// +kubebuilder:rbac:groups="core",resources=namespaces/finalizers,verbs=update;list;watch;patch;delete +// +kubebuilder:rbac:groups="core",resources=namespaces,verbs=update;patch;delete +// +kubebuilder:rbac:groups="core",resources=namespaces,verbs=get;create;patch;delete;watch + +// +kubebuilder:rbac:groups="core",resources=events,verbs=get;create;watch;update;list;patch;delete // +kubebuilder:rbac:groups="core",resources=events,verbs=delete +// +kubebuilder:rbac:groups="events.k8s.io",resources=events,verbs=list;watch;patch;delete + // +kubebuilder:rbac:groups="core",resources=endpoints,verbs=watch;list -// +kubebuilder:rbac:groups="core",resources=configmaps/status,verbs=get;update -// +kubebuilder:rbac:groups="core",resources=clusterversions,verbs=watch;list +// +kubebuilder:rbac:groups="core",resources=configmaps/status,verbs=get;update;patch;delete +// +kubebuilder:rbac:groups="core",resources=configmaps,verbs=get;create;watch;patch;delete + +// +kubebuilder:rbac:groups="core",resources=clusterversions,verbs=watch;list // +kubebuilder:rbac:groups="config.openshift.io",resources=clusterversions,verbs=watch;list +// +kubebuilder:rbac:groups="coordination.k8s.io",resources=leases,verbs=get;list;watch;create;update;patch;delete + +// +kubebuilder:rbac:groups="controller-runtime.sigs.k8s.io",resources=controllermanagerconfigs,verbs=get;create;patch;delete + +// +kubebuilder:rbac:groups="codeflare.codeflare.dev",resources=mcads,verbs=create;patch +// +kubebuilder:rbac:groups="codeflare.codeflare.dev",resources=instascales,verbs=create;patch + +// +kubebuilder:rbac:groups="cert-manager.io",resources=certificates;issuers,verbs=create;patch + // +kubebuilder:rbac:groups="build.openshift.io",resources=builds,verbs=create;patch;delete;list;catch;watch // +kubebuilder:rbac:groups="build.openshift.io",resources=buildconfigs/instantiate,verbs=create;patch;delete;get;list;watch // +kubebuilder:rbac:groups="build.openshift.io",resources=buildconfigs,verbs=list;watch;create;patch;delete @@ -163,25 +220,44 @@ type DataScienceClusterReconciler struct { // +kubebuilder:rbac:groups="batch",resources=jobs/status,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups="batch",resources=jobs,verbs=* // +kubebuilder:rbac:groups="batch",resources=cronjobs,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="batch",resources=cronjobs,verbs=create;get;patch // +kubebuilder:rbac:groups="autoscaling",resources=horizontalpodautoscalers,verbs=watch;create;update;delete;list;patch -// +kubebuilder:rbac:groups="autoscaling.openshift.io",resources=machinesets,verbs=list;patch -// +kubebuilder:rbac:groups="autoscaling.openshift.io",resources=machineautoscalers,verbs=list;patch +// +kubebuilder:rbac:groups="autoscaling.openshift.io",resources=machinesets,verbs=list;patch;delete +// +kubebuilder:rbac:groups="autoscaling.openshift.io",resources=machineautoscalers,verbs=list;patch;delete + +// +kubebuilder:rbac:groups="authorization.openshift.io",resources=roles,verbs=* +// +kubebuilder:rbac:groups="authorization.openshift.io",resources=rolebindings,verbs=* +// +kubebuilder:rbac:groups="authorization.openshift.io",resources=clusterroles,verbs=* +// +kubebuilder:rbac:groups="authorization.openshift.io",resources=clusterrolebindings,verbs=* // +kubebuilder:rbac:groups="argoproj.io",resources=workflows,verbs=* // +kubebuilder:rbac:groups="apps",resources=statefulsets,verbs=* + // +kubebuilder:rbac:groups="apps",resources=replicasets,verbs=* -// +kubebuilder:rbac:groups="apps",resources=deployments/finalizers,verbs=create;delete;list;update;watch;patch + +// +kubebuilder:rbac:groups="apps",resources=deployments/finalizers,verbs=* +// +kubebuilder:rbac:groups="core",resources=deployments,verbs=* // +kubebuilder:rbac:groups="apps",resources=deployments,verbs=* -// +kubebuilder:rbac:groups="apps.openshift.io",resources=deploymentconfigs;deploymentconfigs/instantiate,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="*",resources=deployments,verbs=* +// +kubebuilder:rbac:groups="extensions",resources=deployments,verbs=* + +// +kubebuilder:rbac:groups="apps.openshift.io",resources=deploymentconfigs,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="apps.openshift.io",resources=deploymentconfigs/instantiate,verbs=get;list;watch;create;update;patch;delete + +// +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch;create;patch;delete // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;create;update;delete;patch // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations,verbs=create;delete;list;update;watch;patch -// +kubebuilder:rbac:groups="*",resources=services,verbs=* +// +kubebuilder:rbac:groups="addons.managed.openshift.io",resources=addons,verbs=get + +// +kubebuilder:rbac:groups="*",resources=statefulsets,verbs=create;update;get;list;watch;patch;delete + // +kubebuilder:rbac:groups="*",resources=replicasets,verbs=* -// +kubebuilder:rbac:groups="*",resources=deployments,verbs=* + +// +kubebuilder:rbac:groups="*",resources=customresourcedefinitions,verbs=get;list;watch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/dscinitialization/dscinitialization_controller.go b/controllers/dscinitialization/dscinitialization_controller.go index 7edf7e5e921..99b379de82d 100644 --- a/controllers/dscinitialization/dscinitialization_controller.go +++ b/controllers/dscinitialization/dscinitialization_controller.go @@ -56,73 +56,6 @@ type DSCInitializationReconciler struct { ApplicationsNamespace string } -// +kubebuilder:rbac:groups=operators.coreos.com,resources=clusterserviceversions,verbs=get;list;watch -// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch -// +kubebuilder:rbac:groups="user.openshift.io",resources=groups,verbs=get;create;list;watch -// +kubebuilder:rbac:groups="template.openshift.io",resources=templates,verbs=* -// +kubebuilder:rbac:groups="security.openshift.io",resources=securitycontextconstraints,verbs=*,resourceNames=anyuid -// +kubebuilder:rbac:groups="route.openshift.io",resources=routes,verbs=get;list;watch;create;delete;update;patch - -// +kubebuilder:rbac:groups="operators.coreos.com",resources=customresourcedefinitions,verbs=create;get -// +kubebuilder:rbac:groups="operators.coreos.com",resources=subscriptions,verbs=get;list;watch - -// +kubebuilder:rbac:groups="opendatahub.io",resources=odhdashboardconfigs,verbs=create;get;patch;watch;update;delete;list -// +kubebuilder:rbac:groups="dashboard.opendatahub.io",resources=odhdocuments,verbs=create;get;patch;list -// +kubebuilder:rbac:groups="dashboard.opendatahub.io",resources=odhapplications,verbs=create;get;patch;list - -// +kubebuilder:rbac:groups="networking.k8s.io",resources=networkpolicies,verbs=get;create;list;watch;delete;update;patch - -// +kubebuilder:rbac:groups="monitoring.coreos.com",resources=servicemonitors,verbs=get;create;delete;update;watch;list;patch -// +kubebuilder:rbac:groups="monitoring.coreos.com",resources=prometheusrules,verbs=get;create;patch -// +kubebuilder:rbac:groups="monitoring.coreos.com",resources=prometheuses,verbs=get;create;patch;delete - -// +kubebuilder:rbac:groups="image.openshift.io",resources=imagestreams,verbs=patch;create;update;delete - -// +kubebuilder:rbac:groups="dscinitialization.opendatahub.io",resources=dscinitializations/status,verbs=get;update;patch -// +kubebuilder:rbac:groups="dscinitialization.opendatahub.io",resources=dscinitializations/finalizers,verbs=get;update;patch -// +kubebuilder:rbac:groups="dscinitialization.opendatahub.io",resources=dscinitializations,verbs=get;list;watch;create;update;patch;delete - -// +kubebuilder:rbac:groups="core",resources=services,verbs=get;create;watch;update;patch;list;delete -// +kubebuilder:rbac:groups="core",resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups="core",resources=pods/log,verbs=* -// +kubebuilder:rbac:groups="core",resources=pods/exec,verbs=* -// +kubebuilder:rbac:groups="core",resources=pods,verbs=* -// +kubebuilder:rbac:groups="core",resources=namespaces,verbs=get;create;patch;delete;watch -// +kubebuilder:rbac:groups="core",resources=events,verbs=get;create;watch;update;list;patch -// +kubebuilder:rbac:groups="core",resources=deployments,verbs=get;create;watch;update;patch;list;delete -// +kubebuilder:rbac:groups="core",resources=configmaps,verbs=get;create;watch - -// +kubebuilder:rbac:groups="controller-runtime.sigs.k8s.io",resources=controllermanagerconfigs,verbs=get;create;patch - -// +kubebuilder:rbac:groups="console.openshift.io",resources=consolelinks,verbs=create;get;patch -// +kubebuilder:rbac:groups="console.openshift.io",resources=odhquickstarts,verbs=create;get;patch;list - -// +kubebuilder:rbac:groups="codeflare.codeflare.dev",resources=mcads,verbs=create;patch -// +kubebuilder:rbac:groups="codeflare.codeflare.dev",resources=instascales,verbs=create;patch - -// +kubebuilder:rbac:groups="cert-manager.io",resources=certificates;issuers,verbs=create;patch - -// +kubebuilder:rbac:groups="batch",resources=cronjobs,verbs=create;get;patch - -// +kubebuilder:rbac:groups="apps",resources=replicasets,verbs=get;create;watch;update;patch;list;delete - -// +kubebuilder:rbac:groups="admissionregistration.k8s.io/v1",resources=validatingwebhookconfigurations,verbs=create;get -// +kubebuilder:rbac:groups="admissionregistration.k8s.io/v1",resources=mutatingwebhookconfigurations,verbs=create;get - -// +kubebuilder:rbac:groups="addons.managed.openshift.io",resources=addons,verbs=get - -// +kubebuilder:rbac:groups="authorization.openshift.io",resources=clusterrolebindings,verbs=* -// +kubebuilder:rbac:groups="authorization.openshift.io",resources=clusterroles,verbs=* -// +kubebuilder:rbac:groups="authorization.openshift.io",resources=rolebindings,verbs=* -// +kubebuilder:rbac:groups="authorization.openshift.io",resources=roles,verbs=* -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=watch;list;get;create;update;* -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=list;watch;get;create;update;delete;* -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=clusterroles,verbs=get;create;update;* -// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=clusterrolebindings,verbs=list;watch;get;create;update;delete;* - -// +kubebuilder:rbac:groups="*",resources=statefulsets,verbs=create;update;get;list;watch;patch;delete -// +kubebuilder:rbac:groups="*",resources=customresourcedefinitions,verbs=get;list;watch - // Reconcile contains controller logic specific to DSCInitialization instance updates func (r *DSCInitializationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { r.Log.Info("Reconciling DSCInitialization.", "DSCInitialization", req.Namespace, "Request.Name", req.Name)