From af6d1b857f2ec9a4ea1cd2af08d8bb3d4d28e3fd Mon Sep 17 00:00:00 2001 From: Celene Date: Tue, 16 Jul 2024 12:53:24 -0400 Subject: [PATCH] fix generated controller manager rbacs (#1292) * fix generated controller manager rbacs * rm duplicate --- Makefile | 2 +- config/rbac/role.yaml | 165 ++++++++++++++----------- controllers/datadogagent_controller.go | 2 +- 3 files changed, 92 insertions(+), 77 deletions(-) diff --git a/Makefile b/Makefile index eb1e1eda7..99a12d7df 100644 --- a/Makefile +++ b/Makefile @@ -144,7 +144,7 @@ manifests: generate-manifests patch-crds ## Generate manifestcd s e.g. CRD, RBAC .PHONY: generate-manifests generate-manifests: $(CONTROLLER_GEN) - $(CONTROLLER_GEN) crd:crdVersions=v1 rbac:roleName=manager-role paths="./apis/..." output:crd:artifacts:config=config/crd/bases/v1 + $(CONTROLLER_GEN) crd:crdVersions=v1 rbac:roleName=manager-role paths="./apis/..." paths="./controllers/..." output:crd:artifacts:config=config/crd/bases/v1 .PHONY: generate generate: $(CONTROLLER_GEN) generate-openapi generate-docs ## Generate code diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index ba3a1cafe..56e1f3c80 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -1,13 +1,14 @@ - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: manager-role rules: - nonResourceURLs: - /metrics + verbs: + - get +- nonResourceURLs: - /metrics/slis verbs: - get @@ -85,8 +86,8 @@ rules: verbs: - get - list - - watch - patch + - watch - apiGroups: - "" resources: @@ -200,12 +201,21 @@ rules: verbs: - list - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch - apiGroups: - apiregistration.k8s.io resources: - apiservices verbs: - '*' + - list + - watch - apiGroups: - apps resources: @@ -294,6 +304,12 @@ rules: - patch - update - watch +- apiGroups: + - authorization.k8s.io + resources: + - pods/exec + verbs: + - create - apiGroups: - authorization.k8s.io resources: @@ -386,6 +402,38 @@ rules: - patch - update - watch +- apiGroups: + - datadoghq.com + resources: + - datadogagentprofiles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - datadoghq.com + resources: + - datadogagentprofiles/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - datadoghq.com + resources: + - datadogagentprofiles/status + verbs: + - get + - patch + - update - apiGroups: - datadoghq.com resources: @@ -465,6 +513,38 @@ rules: - get - patch - update +- apiGroups: + - datadoghq.com + resources: + - datadogslos + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - datadoghq.com + resources: + - datadogslos/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - datadoghq.com + resources: + - datadogslos/status + verbs: + - get + - patch + - update - apiGroups: - datadoghq.com resources: @@ -491,6 +571,13 @@ rules: - get - list - watch +- apiGroups: + - extensions + resources: + - customresourcedefinitions + verbs: + - list + - watch - apiGroups: - external.metrics.k8s.io resources: @@ -657,75 +744,3 @@ rules: verbs: - list - watch -- apiGroups: - - extensions - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - list - - watch -- apiGroups: - - datadoghq.com - resources: - - datadogslos - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - datadoghq.com - resources: - - datadogslos/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - datadoghq.com - resources: - - datadogslos/status - verbs: - - get - - patch - - update -- apiGroups: - - datadoghq.com - resources: - - datadogagentprofiles - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - datadoghq.com - resources: - - datadogagentprofiles/status - verbs: - - get - - patch - - update -- apiGroups: - - datadoghq.com - resources: - - datadogagentprofiles/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - create diff --git a/controllers/datadogagent_controller.go b/controllers/datadogagent_controller.go index d39e18953..8d6be9599 100644 --- a/controllers/datadogagent_controller.go +++ b/controllers/datadogagent_controller.go @@ -99,6 +99,7 @@ type DatadogAgentReconciler struct { // +kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,resourceNames=restricted,verbs=use // +kubebuilder:rbac:urls=/metrics,verbs=get +// +kubebuilder:rbac:urls=/metrics/slis,verbs=get // +kubebuilder:rbac:groups="",resources=componentstatuses,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=nodes/metrics,verbs=get @@ -142,7 +143,6 @@ type DatadogAgentReconciler struct { // +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=list;watch // +kubebuilder:rbac:groups="networking.k8s.io",resources=ingresses,verbs=list;watch // +kubebuilder:rbac:groups=autoscaling.k8s.io,resources=verticalpodautoscalers,verbs=list;watch -// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=list;watch // Kubernetes_state_core // +kubebuilder:rbac:groups="",resources=configmaps,verbs=list;watch