diff --git a/config/rbac/lighthouse-agent/cluster_role.yaml b/config/rbac/lighthouse-agent/cluster_role.yaml index d1547b963..b0c43fffc 100644 --- a/config/rbac/lighthouse-agent/cluster_role.yaml +++ b/config/rbac/lighthouse-agent/cluster_role.yaml @@ -15,7 +15,6 @@ rules: - get - list - watch - - update - apiGroups: - discovery.k8s.io resources: @@ -32,8 +31,8 @@ rules: - apiGroups: - submariner.io resources: - - "gateways" - - "globalingressips" + - gateways + - globalingressips verbs: - get - list @@ -41,7 +40,8 @@ rules: - apiGroups: - multicluster.x-k8s.io resources: - - "*" + - serviceimports + - serviceimports/status verbs: - create - get @@ -49,3 +49,17 @@ rules: - watch - update - delete + - apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports + verbs: + - get + - list + - watch + - apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports/status + verbs: + - update diff --git a/config/rbac/lighthouse-coredns/cluster_role.yaml b/config/rbac/lighthouse-coredns/cluster_role.yaml index df4c649c7..f1180c4bb 100644 --- a/config/rbac/lighthouse-coredns/cluster_role.yaml +++ b/config/rbac/lighthouse-coredns/cluster_role.yaml @@ -5,34 +5,19 @@ metadata: creationTimestamp: null name: submariner-lighthouse-coredns rules: - - apiGroups: - - "" - resources: - - services - - namespaces - - endpoints - verbs: - - get - - list - - watch - - update - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - - create - get - list - watch - - update - - delete - - deletecollection - apiGroups: - submariner.io resources: - - "gateways" - - "submariners" + - gateways + - submariners verbs: - get - list @@ -40,11 +25,8 @@ rules: - apiGroups: - multicluster.x-k8s.io resources: - - "*" + - serviceimports verbs: - - create - get - list - watch - - update - - delete diff --git a/config/rbac/submariner-gateway/cluster_role.yaml b/config/rbac/submariner-gateway/cluster_role.yaml index b21c7e75f..cb840f2a1 100644 --- a/config/rbac/submariner-gateway/cluster_role.yaml +++ b/config/rbac/submariner-gateway/cluster_role.yaml @@ -10,21 +10,7 @@ rules: - configmaps verbs: - get - - list - - watch - - create - - update - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - create - - update - - delete - - apiGroups: # pods and services are looked up to figure out network settings - "" resources: - pods @@ -34,29 +20,3 @@ rules: - get - list - watch - - apiGroups: - - operator.openshift.io - resources: - - dnses - verbs: - - get - - list - - watch - - update - - apiGroups: - - config.openshift.io - resources: - - networks - verbs: - - get - - list - - apiGroups: - - submariner.io - resources: - - endpoints - - gateways - - clusters - verbs: - - get - - list - - watch diff --git a/config/rbac/submariner-gateway/role.yaml b/config/rbac/submariner-gateway/role.yaml index 7047643b7..881e66e35 100644 --- a/config/rbac/submariner-gateway/role.yaml +++ b/config/rbac/submariner-gateway/role.yaml @@ -9,55 +9,23 @@ rules: - "" resources: - pods - - services - - services/finalizers - - endpoints - - events - - configmaps - verbs: - - '*' - - apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - '*' - - apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors verbs: - get - - create - - apiGroups: - - apps - resourceNames: - - submariner-operator - resources: - - deployments/finalizers - verbs: - update - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - apps - resources: - - replicasets - verbs: - - get + - patch - apiGroups: - submariner.io resources: - - '*' + - clusters + - endpoints + - gateways verbs: - - '*' + - get + - list + - watch + - create + - update + - delete - apiGroups: - coordination.k8s.io resources: diff --git a/config/rbac/submariner-globalnet/cluster_role.yaml b/config/rbac/submariner-globalnet/cluster_role.yaml index 35afa676f..ea98fb56c 100644 --- a/config/rbac/submariner-globalnet/cluster_role.yaml +++ b/config/rbac/submariner-globalnet/cluster_role.yaml @@ -8,14 +8,20 @@ rules: - apiGroups: - "" resources: - - pods - - namespaces - nodes verbs: - get - list - watch - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -31,8 +37,8 @@ rules: - apiGroups: - submariner.io resources: - - endpoints - clusters + - endpoints verbs: - get - list @@ -57,7 +63,7 @@ rules: - apiGroups: - multicluster.x-k8s.io resources: - - "serviceexports" + - serviceexports verbs: - get - list diff --git a/config/rbac/submariner-globalnet/role.yaml b/config/rbac/submariner-globalnet/role.yaml index 726ad2eb3..3b4a7637a 100644 --- a/config/rbac/submariner-globalnet/role.yaml +++ b/config/rbac/submariner-globalnet/role.yaml @@ -5,61 +5,6 @@ metadata: creationTimestamp: null name: submariner-globalnet rules: - - apiGroups: - - "" - resources: - - pods - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - verbs: - - '*' - - apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - '*' - - apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create - - apiGroups: - - apps - resourceNames: - - submariner-operator - resources: - - deployments/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - apiGroups: - - submariner.io - resources: - - '*' - verbs: - - '*' - apiGroups: - coordination.k8s.io resources: diff --git a/config/rbac/submariner-operator/cluster_role.yaml b/config/rbac/submariner-operator/cluster_role.yaml index d1b1b9e03..8ae3d5ecd 100644 --- a/config/rbac/submariner-operator/cluster_role.yaml +++ b/config/rbac/submariner-operator/cluster_role.yaml @@ -28,9 +28,10 @@ rules: - update - delete - watch - - apiGroups: # pods, services and nodes are looked up to figure out network settings + - apiGroups: - "" resources: + # Needed for network settings discovery - pods - services - nodes @@ -44,27 +45,20 @@ rules: - dnses verbs: - get - - list - - watch - update - apiGroups: - config.openshift.io resources: + # Needed for network settings discovery - networks + resourceNames: + - cluster verbs: - get - - list - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - apiGroups: - monitoring.coreos.com resources: + # Needed for openshift monitoring - servicemonitors verbs: - get @@ -72,13 +66,18 @@ rules: - apiGroups: - apps resources: + # Needed for Flannel CNI discovery - daemonsets verbs: - list - apiGroups: - rbac.authorization.k8s.io resources: + # Temporarily needed for network-plugin syncer removal - clusterroles - clusterrolebindings + resourceNames: + - ocp-submariner-networkplugin-syncer + - submariner-networkplugin-syncer verbs: - delete diff --git a/config/rbac/submariner-operator/role.yaml b/config/rbac/submariner-operator/role.yaml index d06468877..d7784ee8a 100644 --- a/config/rbac/submariner-operator/role.yaml +++ b/config/rbac/submariner-operator/role.yaml @@ -8,20 +8,19 @@ rules: - apiGroups: - "" resources: - - pods + # For metrics - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets verbs: - - '*' + - get + - create + - update - apiGroups: - "" resources: + # Temporarily needed for network-plugin syncer removal - serviceaccounts + resourceNames: + - submariner-networkplugin-syncer verbs: - delete - apiGroups: @@ -29,13 +28,18 @@ rules: resources: - deployments - daemonsets - - replicasets - - statefulsets verbs: - - '*' + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - monitoring.coreos.com resources: + # Needed for openshift monitoring - servicemonitors verbs: - get @@ -49,20 +53,26 @@ rules: verbs: - update - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - apps + - submariner.io resources: - - replicasets + - brokers + - brokers/status + - submariners + - submariners/status + - servicediscoveries + - servicediscoveries/status verbs: - get + - list + - watch + - create + - update + - delete - apiGroups: - submariner.io resources: - - '*' + - gateways verbs: - - '*' + - get + - list + - watch diff --git a/config/rbac/submariner-route-agent/cluster_role.yaml b/config/rbac/submariner-route-agent/cluster_role.yaml index a7fe5dd19..a4823ab1d 100644 --- a/config/rbac/submariner-route-agent/cluster_role.yaml +++ b/config/rbac/submariner-route-agent/cluster_role.yaml @@ -6,64 +6,32 @@ metadata: rules: - apiGroups: - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - update - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - create - - update - - delete - - apiGroups: # pods and services are looked up to figure out network settings - - "" resources: - pods - services - secrets - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: + - configmaps - endpoints - verbs: - - list - - apiGroups: - - operator.openshift.io - resources: - - dnses verbs: - get - list - - watch - - update - apiGroups: - config.openshift.io resources: - networks + resourceNames: + - cluster verbs: - get - - list - apiGroups: - "" + resources: + - nodes verbs: - get - list - watch - update - resources: - - nodes - apiGroups: - projectcalico.org resources: diff --git a/config/rbac/submariner-route-agent/role.yaml b/config/rbac/submariner-route-agent/role.yaml index 05ef15d0f..369cb244c 100644 --- a/config/rbac/submariner-route-agent/role.yaml +++ b/config/rbac/submariner-route-agent/role.yaml @@ -6,54 +6,22 @@ metadata: name: submariner-routeagent rules: - apiGroups: - - "" + - submariner.io resources: - - services - - services/finalizers - endpoints - - events - - configmaps - verbs: - - '*' - - apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets verbs: - - '*' + - get + - list + - watch - apiGroups: - - monitoring.coreos.com + - submariner.io resources: - - servicemonitors + - gatewayroutes + - nongatewayroutes verbs: - get + - list + - watch - create - - apiGroups: - - apps - resourceNames: - - submariner-operator - resources: - - deployments/finalizers - verbs: - update - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - apiGroups: - - submariner.io - resources: - - '*' - verbs: - - '*' + - delete diff --git a/controllers/submariner/migration_test.go b/controllers/submariner/migration_test.go index a067471b9..706e80d09 100644 --- a/controllers/submariner/migration_test.go +++ b/controllers/submariner/migration_test.go @@ -55,12 +55,24 @@ var _ = Describe("Migration tests", func() { Name: submariner.NetworkPluginSyncerComponent, }, }, + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: t.Namespace, + Name: "ocp-submariner-networkplugin-syncer", + }, + }, &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ Namespace: t.Namespace, Name: submariner.NetworkPluginSyncerComponent, }, }, + &rbacv1.ClusterRoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: t.Namespace, + Name: "ocp-submariner-networkplugin-syncer", + }, + }, &corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Namespace: t.Namespace, @@ -83,6 +95,18 @@ var _ = Describe("Migration tests", func() { }, }) + t.AssertNoResource(&rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ocp-submariner-networkplugin-syncer", + }, + }) + + t.AssertNoResource(&rbacv1.ClusterRoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ocp-submariner-networkplugin-syncer", + }, + }) + t.AssertNoResource(&corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Name: submariner.NetworkPluginSyncerComponent, diff --git a/controllers/submariner/np_syncer_resources.go b/controllers/submariner/np_syncer_resources.go index 34b67523f..7587eccb5 100644 --- a/controllers/submariner/np_syncer_resources.go +++ b/controllers/submariner/np_syncer_resources.go @@ -43,7 +43,6 @@ func (r *Reconciler) removeNetworkPluginSyncerDeployment(ctx context.Context, in deleteAll := func(objs ...client.Object) error { for _, obj := range objs { - obj.SetName(NetworkPluginSyncerComponent) obj.SetNamespace(instance.Namespace) err := r.config.ScopedClient.Delete(ctx, obj) @@ -59,38 +58,32 @@ func (r *Reconciler) removeNetworkPluginSyncerDeployment(ctx context.Context, in return deleteAll( &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ - Namespace: instance.Namespace, - Name: NetworkPluginSyncerComponent, + Name: NetworkPluginSyncerComponent, }, }, &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ - Namespace: instance.Namespace, - Name: NetworkPluginSyncerComponent, + Name: NetworkPluginSyncerComponent, }, }, &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ - Namespace: instance.Namespace, - Name: NetworkPluginSyncerComponent, + Name: NetworkPluginSyncerComponent, }, }, &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ - Namespace: instance.Namespace, - Name: "ocp-submariner-networkplugin-syncer", + Name: "ocp-submariner-networkplugin-syncer", }, }, &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ - Namespace: instance.Namespace, - Name: "ocp-submariner-networkplugin-syncer", + Name: "ocp-submariner-networkplugin-syncer", }, }, &corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ - Namespace: instance.Namespace, - Name: NetworkPluginSyncerComponent, + Name: NetworkPluginSyncerComponent, }, }, ) diff --git a/go.mod b/go.mod index 370dfa9d7..40d41ab3b 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.71.0 github.com/prometheus-operator/prometheus-operator/pkg/client v0.71.0 github.com/prometheus/client_golang v1.18.0 - github.com/submariner-io/admiral v0.17.1 + github.com/submariner-io/admiral v0.17.2-0.20240506144102-84fdf58df3f8 github.com/submariner-io/shipyard v0.17.1 github.com/submariner-io/submariner v0.17.1 golang.org/x/text v0.14.0 diff --git a/go.sum b/go.sum index b9dce4fef..6dc38f471 100644 --- a/go.sum +++ b/go.sum @@ -405,8 +405,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= -github.com/submariner-io/admiral v0.17.1 h1:p7XkFfbKaQArlzwzZrU4tW5etGjzjlslLhG1p9b/vgs= -github.com/submariner-io/admiral v0.17.1/go.mod h1:38k64mD4hRBQ2UR1VeaJsrIJmmxa3vo5TdevdEUM93k= +github.com/submariner-io/admiral v0.17.2-0.20240506144102-84fdf58df3f8 h1:r9+hTsSEM6Wavub+foDrich0oQhvP3L2unyfY2xzCiA= +github.com/submariner-io/admiral v0.17.2-0.20240506144102-84fdf58df3f8/go.mod h1:38k64mD4hRBQ2UR1VeaJsrIJmmxa3vo5TdevdEUM93k= github.com/submariner-io/shipyard v0.17.1 h1:CGKBOwl9cU9aVG7jS+PV7FjMZOmFKY0YuQJa8y2Yo1c= github.com/submariner-io/shipyard v0.17.1/go.mod h1:hhlOvzkProcAJe/3cm52FYUEknAzJlBmIkRfjl/SMSw= github.com/submariner-io/submariner v0.17.1 h1:2iOoRESrBwFuWba1ycYOUpLlqSdgu2bYqBoaszgPotA= diff --git a/pkg/embeddedyamls/yamls.go b/pkg/embeddedyamls/yamls.go index abc66b7c4..4889ab774 100644 --- a/pkg/embeddedyamls/yamls.go +++ b/pkg/embeddedyamls/yamls.go @@ -2599,20 +2599,19 @@ rules: - apiGroups: - "" resources: - - pods + # For metrics - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets verbs: - - '*' + - get + - create + - update - apiGroups: - "" resources: + # Temporarily needed for network-plugin syncer removal - serviceaccounts + resourceNames: + - submariner-networkplugin-syncer verbs: - delete - apiGroups: @@ -2620,13 +2619,18 @@ rules: resources: - deployments - daemonsets - - replicasets - - statefulsets verbs: - - '*' + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - monitoring.coreos.com resources: + # Needed for openshift monitoring - servicemonitors verbs: - get @@ -2640,23 +2644,29 @@ rules: verbs: - update - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - apps + - submariner.io resources: - - replicasets + - brokers + - brokers/status + - submariners + - submariners/status + - servicediscoveries + - servicediscoveries/status verbs: - get + - list + - watch + - create + - update + - delete - apiGroups: - submariner.io resources: - - '*' + - gateways verbs: - - '*' + - get + - list + - watch ` Config_rbac_submariner_operator_role_binding_yaml = `--- kind: RoleBinding @@ -2701,9 +2711,10 @@ rules: - update - delete - watch - - apiGroups: # pods, services and nodes are looked up to figure out network settings + - apiGroups: - "" resources: + # Needed for network settings discovery - pods - services - nodes @@ -2717,27 +2728,20 @@ rules: - dnses verbs: - get - - list - - watch - update - apiGroups: - config.openshift.io resources: + # Needed for network settings discovery - networks + resourceNames: + - cluster verbs: - get - - list - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - apiGroups: - monitoring.coreos.com resources: + # Needed for openshift monitoring - servicemonitors verbs: - get @@ -2745,14 +2749,19 @@ rules: - apiGroups: - apps resources: + # Needed for Flannel CNI discovery - daemonsets verbs: - list - apiGroups: - rbac.authorization.k8s.io resources: + # Temporarily needed for network-plugin syncer removal - clusterroles - clusterrolebindings + resourceNames: + - ocp-submariner-networkplugin-syncer + - submariner-networkplugin-syncer verbs: - delete ` @@ -2820,55 +2829,23 @@ rules: - "" resources: - pods - - services - - services/finalizers - - endpoints - - events - - configmaps - verbs: - - '*' - - apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - '*' - - apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors verbs: - get - - create - - apiGroups: - - apps - resourceNames: - - submariner-operator - resources: - - deployments/finalizers - verbs: - update - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - apps - resources: - - replicasets - verbs: - - get + - patch - apiGroups: - submariner.io resources: - - '*' + - clusters + - endpoints + - gateways verbs: - - '*' + - get + - list + - watch + - create + - update + - delete - apiGroups: - coordination.k8s.io resources: @@ -2906,21 +2883,7 @@ rules: - configmaps verbs: - get - - list - - watch - - create - - update - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - create - - update - - delete - - apiGroups: # pods and services are looked up to figure out network settings - "" resources: - pods @@ -2930,32 +2893,6 @@ rules: - get - list - watch - - apiGroups: - - operator.openshift.io - resources: - - dnses - verbs: - - get - - list - - watch - - update - - apiGroups: - - config.openshift.io - resources: - - networks - verbs: - - get - - list - - apiGroups: - - submariner.io - resources: - - endpoints - - gateways - - clusters - verbs: - - get - - list - - watch ` Config_rbac_submariner_gateway_cluster_role_binding_yaml = `--- apiVersion: rbac.authorization.k8s.io/v1 @@ -3012,57 +2949,25 @@ metadata: name: submariner-routeagent rules: - apiGroups: - - "" + - submariner.io resources: - - services - - services/finalizers - endpoints - - events - - configmaps - verbs: - - '*' - - apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets verbs: - - '*' + - get + - list + - watch - apiGroups: - - monitoring.coreos.com + - submariner.io resources: - - servicemonitors + - gatewayroutes + - nongatewayroutes verbs: - get + - list + - watch - create - - apiGroups: - - apps - resourceNames: - - submariner-operator - resources: - - deployments/finalizers - verbs: - update - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - apiGroups: - - submariner.io - resources: - - '*' - verbs: - - '*' + - delete ` Config_rbac_submariner_route_agent_role_binding_yaml = `--- kind: RoleBinding @@ -3085,64 +2990,32 @@ metadata: rules: - apiGroups: - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - update - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - create - - update - - delete - - apiGroups: # pods and services are looked up to figure out network settings - - "" resources: - pods - services - secrets - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: + - configmaps - endpoints - verbs: - - list - - apiGroups: - - operator.openshift.io - resources: - - dnses verbs: - get - list - - watch - - update - apiGroups: - config.openshift.io resources: - networks + resourceNames: + - cluster verbs: - get - - list - apiGroups: - "" + resources: + - nodes verbs: - get - list - watch - update - resources: - - nodes - apiGroups: - projectcalico.org resources: @@ -3208,61 +3081,6 @@ metadata: creationTimestamp: null name: submariner-globalnet rules: - - apiGroups: - - "" - resources: - - pods - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - verbs: - - '*' - - apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - '*' - - apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create - - apiGroups: - - apps - resourceNames: - - submariner-operator - resources: - - deployments/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - apiGroups: - - submariner.io - resources: - - '*' - verbs: - - '*' - apiGroups: - coordination.k8s.io resources: @@ -3298,14 +3116,20 @@ rules: - apiGroups: - "" resources: - - pods - - namespaces - nodes verbs: - get - list - watch - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -3321,8 +3145,8 @@ rules: - apiGroups: - submariner.io resources: - - endpoints - clusters + - endpoints verbs: - get - list @@ -3347,7 +3171,7 @@ rules: - apiGroups: - multicluster.x-k8s.io resources: - - "serviceexports" + - serviceexports verbs: - get - list @@ -3575,7 +3399,6 @@ rules: - get - list - watch - - update - apiGroups: - discovery.k8s.io resources: @@ -3592,8 +3415,8 @@ rules: - apiGroups: - submariner.io resources: - - "gateways" - - "globalingressips" + - gateways + - globalingressips verbs: - get - list @@ -3601,7 +3424,8 @@ rules: - apiGroups: - multicluster.x-k8s.io resources: - - "*" + - serviceimports + - serviceimports/status verbs: - create - get @@ -3609,6 +3433,20 @@ rules: - watch - update - delete + - apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports + verbs: + - get + - list + - watch + - apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports/status + verbs: + - update ` Config_rbac_lighthouse_agent_cluster_role_binding_yaml = `--- kind: ClusterRoleBinding @@ -3664,34 +3502,19 @@ metadata: creationTimestamp: null name: submariner-lighthouse-coredns rules: - - apiGroups: - - "" - resources: - - services - - namespaces - - endpoints - verbs: - - get - - list - - watch - - update - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - - create - get - list - watch - - update - - delete - - deletecollection - apiGroups: - submariner.io resources: - - "gateways" - - "submariners" + - gateways + - submariners verbs: - get - list @@ -3699,14 +3522,11 @@ rules: - apiGroups: - multicluster.x-k8s.io resources: - - "*" + - serviceimports verbs: - - create - get - list - watch - - update - - delete ` Config_rbac_lighthouse_coredns_cluster_role_binding_yaml = `--- kind: ClusterRoleBinding diff --git a/pkg/metrics/service-monitor.go b/pkg/metrics/service-monitor.go index 647db754d..1576d6cef 100644 --- a/pkg/metrics/service-monitor.go +++ b/pkg/metrics/service-monitor.go @@ -24,20 +24,15 @@ import ( "github.com/pkg/errors" monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" monclientv1 "github.com/prometheus-operator/prometheus-operator/pkg/client/versioned/typed/monitoring/v1" + "github.com/submariner-io/admiral/pkg/resource" v1 "k8s.io/api/core/v1" - apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/discovery" - clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" "k8s.io/utils/ptr" - logf "sigs.k8s.io/controller-runtime/pkg/log" ) -var ( - log = logf.Log.WithName("metrics") - ErrServiceMonitorNotPresent = fmt.Errorf("no ServiceMonitor registered with the API") -) +var ErrServiceMonitorNotPresent = fmt.Errorf("no ServiceMonitor registered with the API") const openshiftMonitoringNS = "openshift-monitoring" @@ -57,20 +52,6 @@ func CreateServiceMonitors(ctx context.Context, config *rest.Config, ns string, return nil, ErrServiceMonitorNotPresent } - // On OpenShift, we need to create the service monitors in the OpenShift monitoring namespace, not the - // services; we need our own clientset rather than the manager's since the latter hasn't started yet - // (so its caching infrastructure isn't available, and reads fail) - cs, err := clientset.NewForConfig(config) - if err != nil { - return nil, errors.Wrap(err, "error getting kube client") - } - - if _, err := cs.CoreV1().Namespaces().Get(ctx, openshiftMonitoringNS, metav1.GetOptions{}); err == nil { - ns = openshiftMonitoringNS - } else if !apierrors.IsNotFound(err) { - log.Error(err, "Error checking for the OpenShift monitoring namespace") - } - serviceMonitors := make([]*monitoringv1.ServiceMonitor, len(services)) mclient := monclientv1.NewForConfigOrDie(config) @@ -79,9 +60,15 @@ func CreateServiceMonitors(ctx context.Context, config *rest.Config, ns string, continue } - sm := GenerateServiceMonitor(ns, s) + // On OpenShift, we need to create the service monitors in the OpenShift monitoring namespace, not the + // service's. If that namespace doesn't exist then create in the provided namespace. + smc, err := mclient.ServiceMonitors(ns).Create(ctx, GenerateServiceMonitor(openshiftMonitoringNS, s), metav1.CreateOptions{}) + + missingNS, _ := resource.IsMissingNamespaceErr(err) + if missingNS { + smc, err = mclient.ServiceMonitors(ns).Create(ctx, GenerateServiceMonitor(ns, s), metav1.CreateOptions{}) + } - smc, err := mclient.ServiceMonitors(ns).Create(ctx, sm, metav1.CreateOptions{}) if err != nil { return nil, errors.Wrap(err, "error creating ServiceMonitor") }