Merge pull request #6 from dfds/fix-rolebinding-issue

add escalate and bind permissions for operator
dfds · Mar 11, 2022 · bfcd7ca · bfcd7ca
2 parents f1f5c80 + 6b5a9b5
commit bfcd7ca
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 25 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -12,6 +12,7 @@ rules:
   verbs:
   - create
   - delete
+  - escalate
   - get
   - list
   - patch
@@ -58,7 +59,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - clusterrolebindings
   verbs:
@@ -70,21 +71,21 @@ rules:
   - update
   - watch
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - clusterrolebindings/finalizers
   verbs:
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - clusterrolebindings/status
   verbs:
   - get
   - patch
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - clusterroles
   verbs:
@@ -96,65 +97,68 @@ rules:
   - update
   - watch
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - clusterroles/finalizers
   verbs:
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - clusterroles/status
   verbs:
   - get
   - patch
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - rolebindings
   verbs:
   - create
   - delete
+  - escalate
   - get
   - list
   - patch
   - update
   - watch
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - rolebindings/finalizers
   verbs:
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - rolebindings/status
   verbs:
   - get
   - patch
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - roles
   verbs:
+  - bind
   - create
   - delete
+  - escalate
   - get
   - list
   - patch
   - update
   - watch
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - roles/finalizers
   verbs:
   - update
 - apiGroups:
-  - rbac
+  - rbac.authorization.k8s.io
   resources:
   - roles/status
   verbs:

diff --git a/controllers/namespace_controller.go b/controllers/namespace_controller.go
@@ -42,19 +42,19 @@ type NamespaceReconciler struct {
 //+kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=core,resources=namespaces/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=core,resources=namespaces/finalizers,verbs=update
-//+kubebuilder:rbac:groups=rbac,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=rbac,resources=clusterroles/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=rbac,resources=clusterroles/finalizers,verbs=update
-//+kubebuilder:rbac:groups=rbac,resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=rbac,resources=clusterrolebindings/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=rbac,resources=clusterrolebindings/finalizers,verbs=update
-//+kubebuilder:rbac:groups=rbac,resources=roles,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=rbac,resources=roles/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=rbac,resources=roles/finalizers,verbs=update
-//+kubebuilder:rbac:groups=rbac,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=rbac,resources=rolebindings/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=rbac,resources=rolebindings/finalizers,verbs=update
-//+kubebuilder:rbac:groups=aws.crossplane.io,resources=providerconfigs,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles/finalizers,verbs=update
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings/finalizers,verbs=update
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch;create;update;patch;delete;escalate;bind
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles/finalizers,verbs=update
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete;escalate
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings/finalizers,verbs=update
+//+kubebuilder:rbac:groups=aws.crossplane.io,resources=providerconfigs,verbs=get;list;watch;create;update;patch;delete;escalate
 //+kubebuilder:rbac:groups=aws.crossplane.io,resources=providerconfigs/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=aws.crossplane.io,resources=providerconfigs/finalizers,verbs=update