From b9b73a792c8d00a9f4fecfe16ea54fd672fa9aff Mon Sep 17 00:00:00 2001 From: Abhijeet Shakya Date: Wed, 19 Jun 2024 11:01:27 +0530 Subject: [PATCH] Remove clusterRoles and Rolebindings from drcluster MW Currently clusterRoles and Rolebindings corresponding to vrg, olm and mmode are being deployed through manifests. Changing that secret propagation to be handled via policy. Signed-off-by: Abhijeet Shakya --- internal/controller/drclusters.go | 37 --------------- internal/controller/util/mw_util.go | 73 +---------------------------- 2 files changed, 1 insertion(+), 109 deletions(-) diff --git a/internal/controller/drclusters.go b/internal/controller/drclusters.go index e4b997ea4f..17cdfc9710 100644 --- a/internal/controller/drclusters.go +++ b/internal/controller/drclusters.go @@ -13,7 +13,6 @@ import ( rmn "github.com/ramendr/ramen/api/v1alpha1" "github.com/ramendr/ramen/internal/controller/util" "github.com/ramendr/ramen/internal/controller/volsync" - rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/sets" @@ -89,18 +88,6 @@ func appendSubscriptionObject( )), nil } -var olmClusterRole = &rbacv1.ClusterRole{ - TypeMeta: metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"}, - ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:olm-edit"}, - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{"operators.coreos.com"}, - Resources: []string{"operatorgroups"}, - Verbs: []string{"create", "get", "list", "update", "delete"}, - }, - }, -} - func objectsToDeploy(hubOperatorRamenConfig *rmn.RamenConfig) ([]interface{}, error) { objects := []interface{}{} @@ -127,35 +114,11 @@ func objectsToDeploy(hubOperatorRamenConfig *rmn.RamenConfig) ([]interface{}, er return append(objects, util.Namespace(drClusterOperatorNamespaceName), - olmClusterRole, - olmRoleBinding(drClusterOperatorNamespaceName), operatorGroup(drClusterOperatorNamespaceName), drClusterOperatorConfigMap, ), nil } -func olmRoleBinding(namespaceName string) *rbacv1.RoleBinding { - return &rbacv1.RoleBinding{ - TypeMeta: metav1.TypeMeta{Kind: "RoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"}, - ObjectMeta: metav1.ObjectMeta{ - Name: "open-cluster-management:klusterlet-work-sa:agent:olm-edit", - Namespace: namespaceName, - }, - Subjects: []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Name: "klusterlet-work-sa", - Namespace: "open-cluster-management-agent", - }, - }, - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: "open-cluster-management:klusterlet-work-sa:agent:olm-edit", - }, - } -} - func operatorGroup(namespaceName string) *operatorsv1.OperatorGroup { return &operatorsv1.OperatorGroup{ TypeMeta: metav1.TypeMeta{Kind: "OperatorGroup", APIVersion: "operators.coreos.com/v1"}, diff --git a/internal/controller/util/mw_util.go b/internal/controller/util/mw_util.go index f2e4dd6aa2..5336c914f5 100644 --- a/internal/controller/util/mw_util.go +++ b/internal/controller/util/mw_util.go @@ -13,7 +13,6 @@ import ( ocmworkv1 "github.com/open-cluster-management/api/work/v1" errorswrapper "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -334,18 +333,8 @@ func (mwu *MWUtil) GetDrClusterManifestWork(clusterName string) (*ocmworkv1.Mani func (mwu *MWUtil) CreateOrUpdateDrClusterManifestWork( clusterName string, - objectsToAppend []interface{}, annotations map[string]string, + objects []interface{}, annotations map[string]string, ) error { - objects := append( - []interface{}{ - vrgClusterRole, - vrgClusterRoleBinding, - mModeClusterRole, - mModeClusterRoleBinding, - }, - objectsToAppend..., - ) - manifests := make([]ocmworkv1.Manifest, len(objects)) for i, object := range objects { @@ -370,66 +359,6 @@ func (mwu *MWUtil) CreateOrUpdateDrClusterManifestWork( ) } -var ( - vrgClusterRole = &rbacv1.ClusterRole{ - TypeMeta: metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"}, - ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:volrepgroup-edit"}, - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{"ramendr.openshift.io"}, - Resources: []string{"volumereplicationgroups"}, - Verbs: []string{"create", "get", "list", "update", "delete"}, - }, - }, - } - - vrgClusterRoleBinding = &rbacv1.ClusterRoleBinding{ - TypeMeta: metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"}, - ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:volrepgroup-edit"}, - Subjects: []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Name: "klusterlet-work-sa", - Namespace: "open-cluster-management-agent", - }, - }, - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: "open-cluster-management:klusterlet-work-sa:agent:volrepgroup-edit", - }, - } - - mModeClusterRole = &rbacv1.ClusterRole{ - TypeMeta: metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"}, - ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:mmode-edit"}, - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{"ramendr.openshift.io"}, - Resources: []string{"maintenancemodes"}, - Verbs: []string{"create", "get", "list", "update", "delete"}, - }, - }, - } - - mModeClusterRoleBinding = &rbacv1.ClusterRoleBinding{ - TypeMeta: metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"}, - ObjectMeta: metav1.ObjectMeta{Name: "open-cluster-management:klusterlet-work-sa:agent:mmode-edit"}, - Subjects: []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Name: "klusterlet-work-sa", - Namespace: "open-cluster-management-agent", - }, - }, - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: "open-cluster-management:klusterlet-work-sa:agent:mmode-edit", - }, - } -) - func (mwu *MWUtil) GenerateManifest(obj interface{}) (*ocmworkv1.Manifest, error) { objJSON, err := json.Marshal(obj) if err != nil {