From df6557e3664e7dd80104023b21f16e9efcd2d8d5 Mon Sep 17 00:00:00 2001 From: Dustin Black Date: Sat, 9 Sep 2023 12:12:43 +0200 Subject: [PATCH] disable clusterrole --- config/rbac/role.yaml | 1 + controllers/app.go | 48 +++++++++++++++---------------- controllers/horreum_controller.go | 10 +++---- 3 files changed, 30 insertions(+), 29 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 7225d47..441bb25 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -94,6 +94,7 @@ rules: - apiGroups: - security.openshift.io resourceNames: + - anyuid - nonroot resources: - securitycontextconstraints diff --git a/controllers/app.go b/controllers/app.go index 5538e63..35b9bc7 100644 --- a/controllers/app.go +++ b/controllers/app.go @@ -4,7 +4,7 @@ import ( hyperfoilv1alpha1 "github.com/Hyperfoil/horreum-operator/api/v1alpha1" routev1 "github.com/openshift/api/route/v1" corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" + // rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -266,29 +266,29 @@ func appServiceAccount(cr *hyperfoilv1alpha1.Horreum) *corev1.ServiceAccount { } } -func appClusterRole(cr *hyperfoilv1alpha1.Horreum) *rbacv1.ClusterRole { - return &rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: "horreum-init-cluster-role", - }, - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{ - "security.openshift.io", - }, - ResourceNames: []string{ - "anyuid", - }, - Resources: []string{ - "securitycontextconstraints", - }, - Verbs: []string{ - "use", - }, - }, - }, - } -} +// func appClusterRole(cr *hyperfoilv1alpha1.Horreum) *rbacv1.ClusterRole { +// return &rbacv1.ClusterRole{ +// ObjectMeta: metav1.ObjectMeta{ +// Name: "horreum-init-cluster-role", +// }, +// Rules: []rbacv1.PolicyRule{ +// { +// APIGroups: []string{ +// "security.openshift.io", +// }, +// ResourceNames: []string{ +// "anyuid", +// }, +// Resources: []string{ +// "securitycontextconstraints", +// }, +// Verbs: []string{ +// "use", +// }, +// }, +// }, +// } +// } // func appClusterRoleBinding(cr *hyperfoilv1alpha1.Horreum) *rbacv1.ClusterRoleBinding { // return &rbacv1.ClusterRoleBinding{ diff --git a/controllers/horreum_controller.go b/controllers/horreum_controller.go index b3fd2aa..679efa1 100644 --- a/controllers/horreum_controller.go +++ b/controllers/horreum_controller.go @@ -34,7 +34,7 @@ import ( routev1 "github.com/openshift/api/route/v1" corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" + // rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/equality" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -298,10 +298,10 @@ func (r *HorreumReconciler) Reconcile(ctx context.Context, request ctrl.Request) if err := ensureSame(r, cr, logger, appServiceAccount, &corev1.ServiceAccount{}, nocompare, nocheck); err != nil { return reconcile.Result{}, err } - appClusterRole := appClusterRole(cr) - if err := ensureSame(r, cr, logger, appClusterRole, &rbacv1.ClusterRole{}, nocompare, nocheck); err != nil { - return reconcile.Result{}, err - } + // appClusterRole := appClusterRole(cr) + // if err := ensureSame(r, cr, logger, appClusterRole, &rbacv1.ClusterRole{}, nocompare, nocheck); err != nil { + // return reconcile.Result{}, err + // } // appClusterRoleBinding := appClusterRoleBinding(cr) // if err := ensureSame(r, cr, logger, appClusterRoleBinding, &rbacv1.ClusterRoleBinding{}, nocompare, nocheck); err != nil { // return reconcile.Result{}, err