Skip to content

Commit

Permalink
Merge pull request #435 from stuggi/OSPRH-8363
Browse files Browse the repository at this point in the history 
Adding patch rbac perm for serviceaccounts
  • Loading branch information
@openshift-merge-bot
openshift-merge-bot[bot] committed Jul 4, 2024
2 parents a2bf140 + 606ca9a commit e65444c
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 12 deletions.
9 changes: 9 additions & 0 deletions config/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ rules:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
Expand Down Expand Up @@ -124,6 +125,7 @@ rules:
resources:
- keystoneapis/finalizers
verbs:
- patch
- update
- apiGroups:
- keystone.openstack.org
Expand All @@ -150,6 +152,7 @@ rules:
resources:
- keystoneendpoints/finalizers
verbs:
- patch
- update
- apiGroups:
- keystone.openstack.org
Expand All @@ -176,6 +179,7 @@ rules:
resources:
- keystoneservices/finalizers
verbs:
- patch
- update
- apiGroups:
- keystone.openstack.org
Expand All @@ -202,6 +206,7 @@ rules:
resources:
- mariadbaccounts/finalizers
verbs:
- patch
- update
- apiGroups:
- mariadb.openstack.org
Expand All @@ -222,13 +227,15 @@ rules:
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- memcached.openstack.org
resources:
- memcacheds/finalizers
verbs:
- patch
- update
- apiGroups:
- rabbitmq.openstack.org
Expand All @@ -250,6 +257,7 @@ rules:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
Expand All @@ -260,6 +268,7 @@ rules:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
Expand Down
14 changes: 7 additions & 7 deletions controllers/keystoneapi_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ type KeystoneAPIReconciler struct {

// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete;
// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete;
// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete;
Expand All @@ -105,16 +105,16 @@ type KeystoneAPIReconciler struct {
// +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=get;list;watch;create;update;patch;delete;
// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbdatabases,verbs=get;list;watch;create;update;patch;delete;
// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update
// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update
// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update
// +kubebuilder:rbac:groups=mariadb.openstack.org,resources=mariadbaccounts/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch;update;patch
// +kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch
// +kubebuilder:rbac:groups=rabbitmq.openstack.org,resources=transporturls,verbs=get;list;watch;create;update;patch;delete

// service account, role, rolebinding
// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update
// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update
// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update
// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch
// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch
// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch
// keystone service account permissions that are needed to grant permission to the above
// +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use
// +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch
Expand Down
6 changes: 3 additions & 3 deletions controllers/keystoneendpoint_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,11 +51,11 @@ func (r *KeystoneEndpointReconciler) GetLogger(ctx context.Context) logr.Logger

//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints/finalizers,verbs=update
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneendpoints/finalizers,verbs=update;patch
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;update;patch
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update;patch
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices,verbs=get;list;update;patch
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/finalizers,verbs=update
//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/finalizers,verbs=update;patch

// Reconcile keystone endpoint requests
func (r *KeystoneEndpointReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {
Expand Down
4 changes: 2 additions & 2 deletions controllers/keystoneservice_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,9 +68,9 @@ func (r *KeystoneServiceReconciler) GetLogger(ctx context.Context) logr.Logger {

// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/finalizers,verbs=update
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneservices/finalizers,verbs=update;patch
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;update;patch
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update
// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis/finalizers,verbs=update;patch

// Reconcile keystone service requests
func (r *KeystoneServiceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {
Expand Down

0 comments on commit e65444c

Please sign in to comment.