fix: grant operator permission to manage cluster roles

Support for volume expansion required adding the patch verb to the driver’s ClusterRole. To enable seamless upgrades from v1.6 to v1.7, the operator now requires permission to update ClusterRoles.
ThinkParQ · Nov 1, 2024 · 8307661 · 8307661
1 parent 61baa3e
commit 8307661
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 3 deletions.
diff --git a/operator/bundle/manifests/beegfs-csi-driver-operator.clusterserviceversion.yaml b/operator/bundle/manifests/beegfs-csi-driver-operator.clusterserviceversion.yaml
@@ -501,7 +501,6 @@ spec:
           - rbac.authorization.k8s.io
           resources:
           - clusterrolebindings
-          - clusterroles
           - rolebindings
           - roles
           verbs:
@@ -510,6 +509,17 @@ spec:
           - get
           - list
           - watch
+        - apiGroups:
+          - rbac.authorization.k8s.io
+          resources:
+          - clusterroles
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - update
+          - watch
         - apiGroups:
           - security.openshift.io
           resourceNames:

diff --git a/operator/config/rbac/role.yaml b/operator/config/rbac/role.yaml
@@ -102,7 +102,6 @@ rules:
   - rbac.authorization.k8s.io
   resources:
   - clusterrolebindings
-  - clusterroles
   - rolebindings
   - roles
   verbs:
@@ -111,6 +110,17 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterroles
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - security.openshift.io
   resourceNames:

diff --git a/operator/controllers/beegfsdriver_controller.go b/operator/controllers/beegfsdriver_controller.go
@@ -59,7 +59,7 @@ type BeegfsDriverReconciler struct {
 
 // The operator must have the following permissions to deploy the driver.
 //+kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;create
-//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;delete
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;delete;update
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;watch;create;delete
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch;create;delete
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;delete