fix: sync RBAC config with Helm charts.

Updates the kubebuilder statements to build the RBAC roles in the controller to be in sync with the roles used in the Helm charts. Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
kubewarden · Apr 16, 2024 · 83049a3 · 83049a3
1 parent 4512740
commit 83049a3
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 8 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -11,30 +11,31 @@ rules:
   - mutatingwebhookconfigurations
   verbs:
   - create
-  - get
+  - delete
   - list
   - patch
-  - update
   - watch
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
   - validatingwebhookconfigurations
   verbs:
   - create
-  - get
+  - delete
   - list
   - patch
-  - update
   - watch
 - apiGroups:
   - policies.kubewarden.io
   resources:
   - admissionpolicies
   verbs:
+  - create
   - delete
   - get
   - list
+  - patch
+  - update
   - watch
 - apiGroups:
   - policies.kubewarden.io
@@ -55,9 +56,12 @@ rules:
   resources:
   - clusteradmissionpolicies
   verbs:
+  - create
   - delete
   - get
   - list
+  - patch
+  - update
   - watch
 - apiGroups:
   - policies.kubewarden.io

diff --git a/controllers/admissionpolicy_controller.go b/controllers/admissionpolicy_controller.go
@@ -42,7 +42,7 @@ import (
 //
 // We need access to these resources inside of all the namespaces -> a ClusterRole
 // is needed
-//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=admissionpolicies,verbs=get;list;watch;delete
+//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=admissionpolicies,verbs=create;delete;get;list;patch;update;watch
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=admissionpolicies/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=admissionpolicies/finalizers,verbs=update
 //

diff --git a/controllers/clusteradmissionpolicy_controller.go b/controllers/clusteradmissionpolicy_controller.go
@@ -42,7 +42,7 @@ import (
 //
 // We need access to these resources inside of all the namespaces -> a ClusterRole
 // is needed
-//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies,verbs=get;list;watch;delete
+//+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies,verbs=create;delete;get;list;patch;update;watch
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=policies.kubewarden.io,resources=clusteradmissionpolicies/finalizers,verbs=update
 

diff --git a/internal/pkg/admission/mutating-webhook.go b/internal/pkg/admission/mutating-webhook.go
@@ -17,7 +17,7 @@ import (
 	"github.com/kubewarden/kubewarden-controller/internal/pkg/constants"
 )
 
-//+kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=get;list;watch;create;update;patch
+//+kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=create;delete;list;patch;watch
 
 func (r *Reconciler) ReconcileMutatingWebhookConfiguration(
 	ctx context.Context,

diff --git a/internal/pkg/admission/validating-webhook.go b/internal/pkg/admission/validating-webhook.go
@@ -17,7 +17,7 @@ import (
 	"github.com/kubewarden/kubewarden-controller/internal/pkg/constants"
 )
 
-//+kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=get;list;watch;create;update;patch
+//+kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=create;delete;list;patch;watch
 
 func (r *Reconciler) ReconcileValidatingWebhookConfiguration(
 	ctx context.Context,