fix generated controller manager rbacs (#1292)

* fix generated controller manager rbacs * rm duplicate
DataDog · Jul 16, 2024 · af6d1b8 · af6d1b8
1 parent 78cefd3
commit af6d1b8
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 77 deletions.
diff --git a/Makefile b/Makefile
@@ -144,7 +144,7 @@ manifests: generate-manifests patch-crds ## Generate manifestcd s e.g. CRD, RBAC
 
 .PHONY: generate-manifests
 generate-manifests: $(CONTROLLER_GEN)
-	$(CONTROLLER_GEN) crd:crdVersions=v1 rbac:roleName=manager-role paths="./apis/..." output:crd:artifacts:config=config/crd/bases/v1
+	$(CONTROLLER_GEN) crd:crdVersions=v1 rbac:roleName=manager-role paths="./apis/..." paths="./controllers/..." output:crd:artifacts:config=config/crd/bases/v1
 
 .PHONY: generate
 generate: $(CONTROLLER_GEN) generate-openapi generate-docs ## Generate code

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -1,13 +1,14 @@
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: manager-role
 rules:
 - nonResourceURLs:
   - /metrics
+  verbs:
+  - get
+- nonResourceURLs:
   - /metrics/slis
   verbs:
   - get
@@ -85,8 +86,8 @@ rules:
   verbs:
   - get
   - list
-  - watch
   - patch
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -200,12 +201,21 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - list
+  - watch
 - apiGroups:
   - apiregistration.k8s.io
   resources:
   - apiservices
   verbs:
   - '*'
+  - list
+  - watch
 - apiGroups:
   - apps
   resources:
@@ -294,6 +304,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - pods/exec
+  verbs:
+  - create
 - apiGroups:
   - authorization.k8s.io
   resources:
@@ -386,6 +402,38 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - datadoghq.com
+  resources:
+  - datadogagentprofiles
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - datadoghq.com
+  resources:
+  - datadogagentprofiles/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - datadoghq.com
+  resources:
+  - datadogagentprofiles/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - datadoghq.com
   resources:
@@ -465,6 +513,38 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - datadoghq.com
+  resources:
+  - datadogslos
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - datadoghq.com
+  resources:
+  - datadogslos/finalizers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - datadoghq.com
+  resources:
+  - datadogslos/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - datadoghq.com
   resources:
@@ -491,6 +571,13 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - extensions
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - list
+  - watch
 - apiGroups:
   - external.metrics.k8s.io
   resources:
@@ -657,75 +744,3 @@ rules:
   verbs:
   - list
   - watch
-- apiGroups:
-  - extensions
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - list
-  - watch
-- apiGroups:
-    - datadoghq.com
-  resources:
-    - datadogslos
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - datadoghq.com
-  resources:
-    - datadogslos/finalizers
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - datadoghq.com
-  resources:
-    - datadogslos/status
-  verbs:
-    - get
-    - patch
-    - update
-- apiGroups:
-    - datadoghq.com
-  resources:
-    - datadogagentprofiles
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - datadoghq.com
-  resources:
-    - datadogagentprofiles/status
-  verbs:
-    - get
-    - patch
-    - update
-- apiGroups:
-    - datadoghq.com
-  resources:
-    - datadogagentprofiles/finalizers
-  verbs:
-    - update
-- apiGroups:
-    - ""
-  resources:
-    - pods/exec
-  verbs:
-    - create
diff --git a/controllers/datadogagent_controller.go b/controllers/datadogagent_controller.go
@@ -99,6 +99,7 @@ type DatadogAgentReconciler struct {
 // +kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,resourceNames=restricted,verbs=use
 
 // +kubebuilder:rbac:urls=/metrics,verbs=get
+// +kubebuilder:rbac:urls=/metrics/slis,verbs=get
 // +kubebuilder:rbac:groups="",resources=componentstatuses,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=nodes/metrics,verbs=get
@@ -142,7 +143,6 @@ type DatadogAgentReconciler struct {
 // +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=list;watch
 // +kubebuilder:rbac:groups="networking.k8s.io",resources=ingresses,verbs=list;watch
 // +kubebuilder:rbac:groups=autoscaling.k8s.io,resources=verticalpodautoscalers,verbs=list;watch
-// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=list;watch
 
 // Kubernetes_state_core
 // +kubebuilder:rbac:groups="",resources=configmaps,verbs=list;watch