From 577adf5bd09e62b8fc220ba558a4f44eb46748f0 Mon Sep 17 00:00:00 2001 From: Luca Corrieri Date: Mon, 6 Nov 2023 15:41:14 +0100 Subject: [PATCH] fix(rbac): update roles in plain manifests (#185) --- manifests/base/controllers/clusterrole.yaml | 29 +++++-- manifests/base/runner/clusterrole.yaml | 29 +++++++ manifests/base/runner/clusterrolebinding.yaml | 2 +- manifests/base/runner/kustomization.yaml | 1 + manifests/base/server/clusterrole.yaml | 41 ++++++--- ...terraform.padok.cloud_terraformlayers.yaml | 3 +- ...orm.padok.cloud_terraformpullrequests.yaml | 3 +- ...orm.padok.cloud_terraformrepositories.yaml | 3 +- ...g.terraform.padok.cloud_terraformruns.yaml | 3 +- manifests/install.yaml | 86 ++++++++++++++----- 10 files changed, 149 insertions(+), 51 deletions(-) create mode 100644 manifests/base/runner/clusterrole.yaml diff --git a/manifests/base/controllers/clusterrole.yaml b/manifests/base/controllers/clusterrole.yaml index c362e25b..28a1c924 100644 --- a/manifests/base/controllers/clusterrole.yaml +++ b/manifests/base/controllers/clusterrole.yaml @@ -7,14 +7,24 @@ metadata: app.kubernetes.io/name: burrito-controllers app.kubernetes.io/part-of: burrito rules: - - apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["create", "update"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "update"] - - apiGroups: [""] - resources: ["pods"] + - apiGroups: + - events.k8s.io + resources: + - events + verbs: + - create + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - update + - apiGroups: + - "" + resources: + - pods verbs: - create - delete @@ -30,6 +40,7 @@ rules: verbs: - create - delete + - deletecollection - get - list - patch @@ -128,7 +139,7 @@ rules: - patch - update - apiGroups: - - "coordination.k8s.io" + - coordination.k8s.io resources: - leases verbs: diff --git a/manifests/base/runner/clusterrole.yaml b/manifests/base/runner/clusterrole.yaml new file mode 100644 index 00000000..b5b4583b --- /dev/null +++ b/manifests/base/runner/clusterrole.yaml @@ -0,0 +1,29 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: runner + app.kubernetes.io/name: burrito-runner + app.kubernetes.io/part-of: burrito + name: burrito-runner +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - delete + - apiGroups: + - config.terraform.padok.cloud + resources: + - terraformlayers + verbs: + - get + - patch + - apiGroups: + - config.terraform.padok.cloud + resources: + - terraformrepositories + verbs: + - get diff --git a/manifests/base/runner/clusterrolebinding.yaml b/manifests/base/runner/clusterrolebinding.yaml index 3bea335e..0263764c 100644 --- a/manifests/base/runner/clusterrolebinding.yaml +++ b/manifests/base/runner/clusterrolebinding.yaml @@ -9,7 +9,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: burrito-controllers + name: burrito-runner subjects: - kind: ServiceAccount name: burrito-runner diff --git a/manifests/base/runner/kustomization.yaml b/manifests/base/runner/kustomization.yaml index 2f50a144..41d09d79 100644 --- a/manifests/base/runner/kustomization.yaml +++ b/manifests/base/runner/kustomization.yaml @@ -3,4 +3,5 @@ kind: Kustomization resources: - serviceaccount.yaml + - clusterrole.yaml - clusterrolebinding.yaml diff --git a/manifests/base/server/clusterrole.yaml b/manifests/base/server/clusterrole.yaml index 5ac6232b..0b3ccf60 100644 --- a/manifests/base/server/clusterrole.yaml +++ b/manifests/base/server/clusterrole.yaml @@ -11,7 +11,6 @@ rules: - config.terraform.padok.cloud resources: - terraformlayers - - terraformpullrequests verbs: - create - delete @@ -23,21 +22,25 @@ rules: - apiGroups: - config.terraform.padok.cloud resources: - - terraformlayers/finalizers + - terraformrepositories verbs: + - create + - delete + - get + - list + - patch - update + - watch - apiGroups: - config.terraform.padok.cloud resources: - - terraformlayers/status + - terraformlayers/finalizers verbs: - - get - - patch - update - apiGroups: - config.terraform.padok.cloud resources: - - terraformrepositories + - terraformpullrequests verbs: - create - delete @@ -49,26 +52,40 @@ rules: - apiGroups: - config.terraform.padok.cloud resources: - - terraformrepositories/finalizers + - terraformpullrequests/finalizers verbs: - update - apiGroups: - config.terraform.padok.cloud resources: - - terraformrepositories/status + - terraformpullrequests/status verbs: - get - patch - update - apiGroups: - - "coordination.k8s.io" + - config.terraform.padok.cloud resources: - - leases + - terraformruns verbs: + - create + - delete - get - list + - patch + - update - watch - - create + - apiGroups: + - config.terraform.padok.cloud + resources: + - terraformruns/finalizers + verbs: - update + - apiGroups: + - config.terraform.padok.cloud + resources: + - terraformruns/status + verbs: + - get - patch - - delete + - update diff --git a/manifests/crds/config.terraform.padok.cloud_terraformlayers.yaml b/manifests/crds/config.terraform.padok.cloud_terraformlayers.yaml index 3758357e..f3c31df9 100644 --- a/manifests/crds/config.terraform.padok.cloud_terraformlayers.yaml +++ b/manifests/crds/config.terraform.padok.cloud_terraformlayers.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: terraformlayers.config.terraform.padok.cloud spec: group: config.terraform.padok.cloud diff --git a/manifests/crds/config.terraform.padok.cloud_terraformpullrequests.yaml b/manifests/crds/config.terraform.padok.cloud_terraformpullrequests.yaml index 09af6b70..2456ffe0 100644 --- a/manifests/crds/config.terraform.padok.cloud_terraformpullrequests.yaml +++ b/manifests/crds/config.terraform.padok.cloud_terraformpullrequests.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: terraformpullrequests.config.terraform.padok.cloud spec: group: config.terraform.padok.cloud diff --git a/manifests/crds/config.terraform.padok.cloud_terraformrepositories.yaml b/manifests/crds/config.terraform.padok.cloud_terraformrepositories.yaml index 842531c1..8fa12a7a 100644 --- a/manifests/crds/config.terraform.padok.cloud_terraformrepositories.yaml +++ b/manifests/crds/config.terraform.padok.cloud_terraformrepositories.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: terraformrepositories.config.terraform.padok.cloud spec: group: config.terraform.padok.cloud diff --git a/manifests/crds/config.terraform.padok.cloud_terraformruns.yaml b/manifests/crds/config.terraform.padok.cloud_terraformruns.yaml index dd3796ad..2e355076 100644 --- a/manifests/crds/config.terraform.padok.cloud_terraformruns.yaml +++ b/manifests/crds/config.terraform.padok.cloud_terraformruns.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: terraformruns.config.terraform.padok.cloud spec: group: config.terraform.padok.cloud diff --git a/manifests/install.yaml b/manifests/install.yaml index 915d2d9d..d8e2bd58 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: terraformlayers.config.terraform.padok.cloud spec: group: config.terraform.padok.cloud @@ -1336,8 +1335,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: terraformpullrequests.config.terraform.padok.cloud spec: group: config.terraform.padok.cloud @@ -1460,8 +1458,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: terraformrepositories.config.terraform.padok.cloud spec: group: config.terraform.padok.cloud @@ -2774,8 +2771,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: terraformruns.config.terraform.padok.cloud spec: group: config.terraform.padok.cloud @@ -2971,6 +2967,7 @@ rules: verbs: - create - delete + - deletecollection - get - list - patch @@ -3083,6 +3080,36 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: runner + app.kubernetes.io/name: burrito-runner + app.kubernetes.io/part-of: burrito + name: burrito-runner +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - delete +- apiGroups: + - config.terraform.padok.cloud + resources: + - terraformlayers + verbs: + - get + - patch +- apiGroups: + - config.terraform.padok.cloud + resources: + - terraformrepositories + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/component: server @@ -3094,7 +3121,6 @@ rules: - config.terraform.padok.cloud resources: - terraformlayers - - terraformpullrequests verbs: - create - delete @@ -3106,21 +3132,25 @@ rules: - apiGroups: - config.terraform.padok.cloud resources: - - terraformlayers/finalizers + - terraformrepositories verbs: + - create + - delete + - get + - list + - patch - update + - watch - apiGroups: - config.terraform.padok.cloud resources: - - terraformlayers/status + - terraformlayers/finalizers verbs: - - get - - patch - update - apiGroups: - config.terraform.padok.cloud resources: - - terraformrepositories + - terraformpullrequests verbs: - create - delete @@ -3132,29 +3162,43 @@ rules: - apiGroups: - config.terraform.padok.cloud resources: - - terraformrepositories/finalizers + - terraformpullrequests/finalizers verbs: - update - apiGroups: - config.terraform.padok.cloud resources: - - terraformrepositories/status + - terraformpullrequests/status verbs: - get - patch - update - apiGroups: - - coordination.k8s.io + - config.terraform.padok.cloud resources: - - leases + - terraformruns verbs: + - create + - delete - get - list + - patch + - update - watch - - create +- apiGroups: + - config.terraform.padok.cloud + resources: + - terraformruns/finalizers + verbs: - update +- apiGroups: + - config.terraform.padok.cloud + resources: + - terraformruns/status + verbs: + - get - patch - - delete + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -3201,7 +3245,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: burrito-controllers + name: burrito-runner subjects: - kind: ServiceAccount name: burrito-runner