From cb5c0fa1df23b22aa215269015cc4d5942d7b1a4 Mon Sep 17 00:00:00 2001
From: Yauheni Kaliuta <ykaliuta@redhat.com>
Date: Thu, 26 Oct 2023 07:57:49 +0300
Subject: [PATCH] rbac: add permissions for imagestreams, daemonsets,
 apiservices

Prepare for watching v1 resources (issue #637)

To enable watching for DaemonSet and APIService (REST api resources
daemonsets and apiservices) reading/watching permissions required
for the operator's role. Otherwise it gets errors like:

```
User "system:serviceaccount:openshift-operators:opendatahub-operator-controller-manager" cannot list resource "daemonsets" in API group "apps" at the cluster scope

E1018 20:00:55.374514       1 reflector.go:140] go/pkg/mod/k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169: Failed to watch *v1.DaemonSet: failed to list *v1.DaemonSet: daemonsets.apps is forbidden: User "system:serviceaccount:openshift-operators:opendatahub-operator-controller-manager" cannot list resource "daemonsets" in API group "apps" at the cluster scope
```

For ImageStream `get` permissing is needed for cli.Get() in deploy's
manageResources()[1], otherwise it does not set
ownersReference (missing the branch apierrs.IsNotFound(err) since
err is related to permissions).

Autogenerated files:
- config/rbac/role.yaml (make manifests)
-
bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (make bundle)

[1] https://github.com/opendatahub-io/opendatahub-operator/blob/13a7e822c0c75f361c319f8256a2d199d031d97c/pkg/deploy/deploy.go#L199

Signed-off-by: Yauheni Kaliuta <ykaliuta@redhat.com>
---
 ...ndatahub-operator.clusterserviceversion.yaml | 17 +++++++++++++++++
 config/rbac/role.yaml                           | 17 +++++++++++++++++
 .../datasciencecluster/kubebuilder_rbac.go      |  6 +++++-
 3 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml b/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml
index 7f08cff8ee3..bd4a58c1c64 100644
--- a/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml
+++ b/bundle/manifests/opendatahub-operator.clusterserviceversion.yaml
@@ -268,6 +268,22 @@ spec:
           - list
           - patch
           - watch
+        - apiGroups:
+          - apiregistration.k8s.io
+          resources:
+          - apiservices
+          verbs:
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - apps
+          resources:
+          - daemonsets
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - apps
           resources:
@@ -861,6 +877,7 @@ spec:
           verbs:
           - create
           - delete
+          - get
           - list
           - patch
           - update
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 57b2d47ac0f..72b8330734a 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -83,6 +83,22 @@ rules:
   - list
   - patch
   - watch
+- apiGroups:
+  - apiregistration.k8s.io
+  resources:
+  - apiservices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - apps
   resources:
@@ -676,6 +692,7 @@ rules:
   verbs:
   - create
   - delete
+  - get
   - list
   - patch
   - update
diff --git a/controllers/datasciencecluster/kubebuilder_rbac.go b/controllers/datasciencecluster/kubebuilder_rbac.go
index 520b970f371..bc4e0752890 100644
--- a/controllers/datasciencecluster/kubebuilder_rbac.go
+++ b/controllers/datasciencecluster/kubebuilder_rbac.go
@@ -25,6 +25,10 @@ package datasciencecluster
 // +kubebuilder:rbac:groups="operators.coreos.com",resources=operatorconditions,verbs=get;list;watch
 
 /* This is for operator */
+// +kubebuilder:rbac:groups="apiregistration.k8s.io",resources=apiservices,verbs=get;list;watch
+
+// +kubebuilder:rbac:groups="apps",resources=daemonsets,verbs=get;list;watch
+
 // +kubebuilder:rbac:groups="operators.coreos.com",resources=catalogsources,verbs=get;list;watch
 
 // +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch
@@ -128,7 +132,7 @@ package datasciencecluster
 // +kubebuilder:rbac:groups="integreatly.org",resources=rhmis,verbs=list;watch;patch;delete
 
 // +kubebuilder:rbac:groups="image.openshift.io",resources=imagestreams,verbs=patch;create;update;delete
-// +kubebuilder:rbac:groups="image.openshift.io",resources=imagestreams,verbs=create;list;watch;patch;delete
+// +kubebuilder:rbac:groups="image.openshift.io",resources=imagestreams,verbs=create;list;watch;patch;delete;get
 
 // +kubebuilder:rbac:groups="extensions",resources=replicasets,verbs=*
 // +kubebuilder:rbac:groups="extensions",resources=ingresses,verbs=list;watch;patch;delete;get