From 6b5a9b59698eb59cb41cc9b1c70e4981ce574702 Mon Sep 17 00:00:00 2001
From: Richard Fisher <rifis@dfds.com>
Date: Fri, 11 Mar 2022 13:13:45 +0000
Subject: [PATCH] add escalate and bind permissions for operator

---
 config/rbac/role.yaml               | 28 ++++++++++++++++------------
 controllers/namespace_controller.go | 26 +++++++++++++-------------
 2 files changed, 29 insertions(+), 25 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index ab40ef2..2fefa51 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -12,6 +12,7 @@ rules:
   verbs:
   - create
   - delete
+  - escalate
   - get
   - list
   - patch
@@ -58,7 +59,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - clusterrolebindings
   verbs:
@@ -70,13 +71,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - clusterrolebindings/finalizers
   verbs:
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - clusterrolebindings/status
   verbs:
@@ -84,7 +85,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - clusterroles
   verbs:
@@ -96,13 +97,13 @@ rules:
   - update
   - watch
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - clusterroles/finalizers
   verbs:
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - clusterroles/status
   verbs:
@@ -110,25 +111,26 @@ rules:
   - patch
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - rolebindings
   verbs:
   - create
   - delete
+  - escalate
   - get
   - list
   - patch
   - update
   - watch
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - rolebindings/finalizers
   verbs:
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - rolebindings/status
   verbs:
@@ -136,25 +138,27 @@ rules:
   - patch
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - roles
   verbs:
+  - bind
   - create
   - delete
+  - escalate
   - get
   - list
   - patch
   - update
   - watch
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - roles/finalizers
   verbs:
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - roles/status
   verbs:
diff --git a/controllers/namespace_controller.go b/controllers/namespace_controller.go
index 3fc5351..7c8d59a 100644
--- a/controllers/namespace_controller.go
+++ b/controllers/namespace_controller.go
@@ -42,19 +42,19 @@ type NamespaceReconciler struct {
 //+kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=core,resources=namespaces/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=core,resources=namespaces/finalizers,verbs=update
-//+kubebuilder:rbac:groups=rbac,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=rbac,resources=clusterroles/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=rbac,resources=clusterroles/finalizers,verbs=update
-//+kubebuilder:rbac:groups=rbac,resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=rbac,resources=clusterrolebindings/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=rbac,resources=clusterrolebindings/finalizers,verbs=update
-//+kubebuilder:rbac:groups=rbac,resources=roles,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=rbac,resources=roles/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=rbac,resources=roles/finalizers,verbs=update
-//+kubebuilder:rbac:groups=rbac,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=rbac,resources=rolebindings/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=rbac,resources=rolebindings/finalizers,verbs=update
-//+kubebuilder:rbac:groups=aws.crossplane.io,resources=providerconfigs,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles/finalizers,verbs=update
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings/finalizers,verbs=update
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch;create;update;patch;delete;escalate;bind
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles/finalizers,verbs=update
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete;escalate
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings/finalizers,verbs=update
+//+kubebuilder:rbac:groups=aws.crossplane.io,resources=providerconfigs,verbs=get;list;watch;create;update;patch;delete;escalate
 //+kubebuilder:rbac:groups=aws.crossplane.io,resources=providerconfigs/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=aws.crossplane.io,resources=providerconfigs/finalizers,verbs=update