From a96ccfc48459f4e2665ee41812992dde61211109 Mon Sep 17 00:00:00 2001 From: stinkyfingers Date: Thu, 26 Aug 2021 09:24:46 -0500 Subject: [PATCH 1/2] adds rbac perms to get lease & jobs --- config/rbac/role.yaml | 29 ++++++++++++++++++++++++++ internal/controllers/app_controller.go | 1 + internal/controllers/job_controller.go | 8 ++++--- 3 files changed, 35 insertions(+), 3 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 8060deb7..0361a345 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -99,6 +99,15 @@ rules: - patch - update - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update - apiGroups: - extensions resources: @@ -237,6 +246,26 @@ rules: - get - patch - update +- apiGroups: + - theketch.io + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - theketch.io + resources: + - jobs/status + verbs: + - get + - patch + - update - apiGroups: - traefik.containo.us resources: diff --git a/internal/controllers/app_controller.go b/internal/controllers/app_controller.go index 1d9521f2..285904b3 100644 --- a/internal/controllers/app_controller.go +++ b/internal/controllers/app_controller.go @@ -86,6 +86,7 @@ type Helm interface { // +kubebuilder:rbac:groups="traefik.containo.us",resources=traefikservices,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups="traefik.containo.us",resources=traefikservices/status,verbs=get;update;patch // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch;update;delete +// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;create;update func (r *AppReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { _ = r.Log.WithValues("app", req.NamespacedName) diff --git a/internal/controllers/job_controller.go b/internal/controllers/job_controller.go index 2d2d217c..b4efe48b 100644 --- a/internal/controllers/job_controller.go +++ b/internal/controllers/job_controller.go @@ -53,9 +53,11 @@ type JobReconcileReason struct { JobName string } -//+kubebuilder:rbac:groups=resources.resources,resources=jobs,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=resources.resources,resources=jobs/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=resources.resources,resources=jobs/finalizers,verbs=update +// +kubebuilder:rbac:groups=resources.resources,resources=jobs,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=resources.resources,resources=jobs/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=resources.resources,resources=jobs/finalizers,verbs=update +// +kubebuilder:rbac:groups=theketch.io,resources=jobs,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=theketch.io,resources=jobs/status,verbs=get;update;patch // Reconcile fetches a Job by name and updates helm charts with differences func (r *JobReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { From 1c3e5cfd47dcc0c6f0983e95964df560b1a9d327 Mon Sep 17 00:00:00 2001 From: stinkyfingers Date: Thu, 26 Aug 2021 13:27:43 -0500 Subject: [PATCH 2/2] adds job permissions for batch group --- config/rbac/role.yaml | 12 ++++++++++++ internal/controllers/job_controller.go | 1 + 2 files changed, 13 insertions(+) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 0361a345..0dce56e3 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -87,6 +87,18 @@ rules: - patch - update - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - cert-manager.io resources: diff --git a/internal/controllers/job_controller.go b/internal/controllers/job_controller.go index b4efe48b..c3dc4246 100644 --- a/internal/controllers/job_controller.go +++ b/internal/controllers/job_controller.go @@ -58,6 +58,7 @@ type JobReconcileReason struct { // +kubebuilder:rbac:groups=resources.resources,resources=jobs/finalizers,verbs=update // +kubebuilder:rbac:groups=theketch.io,resources=jobs,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=theketch.io,resources=jobs/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete // Reconcile fetches a Job by name and updates helm charts with differences func (r *JobReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {