Generate controller RBAC from kubebuilder marks

kubeflow · Mar 14, 2022 · 0196f00 · 0196f00
1 parent 9c88bbc
commit 0196f00
Show file tree

Hide file tree

Showing 5 changed files with 112 additions and 10 deletions.
diff --git a/Makefile b/Makefile
@@ -1,4 +1,5 @@
 HAS_LINT := $(shell command -v golangci-lint;)
+HAS_CONTROLLER_GEN := $(shell command -v controller-gen)
 COMMIT := v1beta1-$(shell git rev-parse --short=7 HEAD)
 KATIB_REGISTRY := docker.io/kubeflowkatib
 CPU_ARCH ?= amd64
@@ -13,7 +14,7 @@ TEST_TENSORFLOW_EVENT_FILE_PATH ?= $(CURDIR)/test/unit/v1beta1/metricscollector/
 test:
 	go test ./pkg/... ./cmd/... -coverprofile coverage.out
 
-check: generate fmt vet lint
+check: generate manifests fmt vet lint
 
 fmt:
 	hack/verify-gofmt.sh
@@ -53,8 +54,15 @@ endif
 	cd ./pkg/apis/manager/v1beta1 && ./build.sh
 	cd ./pkg/apis/manager/health && ./build.sh
 
+manifests:
+ifndef
+	go install sigs.k8s.io/controller-tools/cmd/[email protected]
+	echo "controller-gen has been installed"
+endif
+	controller-gen +rbac:roleName=katib-controller +paths=./pkg/controller.v1beta1/... +output:dir=./manifests/v1beta1/components/controller
+
 # Build images for the Katib v1beta1 components.
-build: generate
+build: generate manifests
 ifeq ($(and $(REGISTRY),$(TAG),$(CPU_ARCH)),)
 	$(error REGISTRY and TAG must be set. Usage: make build REGISTRY=<registry> TAG=<tag> CPU_ARCH=<cpu-architecture>)
 endif

diff --git a/manifests/v1beta1/components/controller/role.yaml b/manifests/v1beta1/components/controller/role.yaml
@@ -0,0 +1,87 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: katib-controller
+rules:
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - experiments.kubeflow.org
+  resources:
+  - experiments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - experiments.kubeflow.org
+  resources:
+  - experiments/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - katib.kubeflow.org
+  resources:
+  - suggestions
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - katib.kubeflow.org
+  resources:
+  - suggestions/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - trials.kubeflow.org
+  resources:
+  - trials
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - trials.kubeflow.org
+  resources:
+  - trials/status
+  verbs:
+  - get
+  - patch
+  - update
diff --git a/pkg/controller.v1beta1/experiment/experiment_controller.go b/pkg/controller.v1beta1/experiment/experiment_controller.go
@@ -111,6 +111,10 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 	return nil
 }
 
+// +kubebuilder:rbac:groups=experiments.kubeflow.org,resources=experiments,verbs=get;list;watch
+// +kubebuilder:rbac:groups=trials.kubeflow.org,resources=trials,verbs=get;list;watch
+// +kubebuilder:rbac:groups=suggestions.kubeflow.org,resources=suggestions,verbs=get;list;watch
+
 // addWatch adds a new Controller to mgr with r as the reconcile.Reconciler
 func addWatch(mgr manager.Manager, c controller.Controller) error {
 	// Watch for changes to Experiment
@@ -163,10 +167,11 @@ type ReconcileExperiment struct {
 	collector *util.ExperimentsCollector
 }
 
-// Reconcile reads that state of the cluster for a Experiment object and makes changes based on the state read
-// and what is in the Experiment.Spec
 // +kubebuilder:rbac:groups=experiments.kubeflow.org,resources=experiments,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=experiments.kubeflow.org,resources=experiments/status,verbs=get;update;patch
+
+// Reconcile reads that state of the cluster for a Experiment object and makes changes based on the state read
+// and what is in the Experiment.Spec
 func (r *ReconcileExperiment) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
 	// Fetch the Experiment instance
 	logger := log.WithValues("Experiment", request.NamespacedName)

diff --git a/pkg/controller.v1beta1/suggestion/suggestion_controller.go b/pkg/controller.v1beta1/suggestion/suggestion_controller.go
@@ -120,15 +120,16 @@ type ReconcileSuggestion struct {
 	recorder record.EventRecorder
 }
 
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps,resources=deployments/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=katib.kubeflow.org,resources=suggestions,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=katib.kubeflow.org,resources=suggestions/status,verbs=get;update;patch
+
 // Reconcile reads that state of the cluster for a Suggestion object and makes changes based on the state read
 // and what is in the Suggestion.Spec
 // TODO(user): Modify this Reconcile function to implement your Controller logic.  The scaffolding writes
 // a Deployment as an example
 // Automatically generate RBAC rules to allow the Controller to read and write Deployments
-// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=apps,resources=deployments/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=katib.kubeflow.org,resources=suggestions,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=katib.kubeflow.org,resources=suggestions/status,verbs=get;update;patch
 func (r *ReconcileSuggestion) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
 	logger := log.WithValues("Suggestion", request.NamespacedName)
 	// Fetch the Suggestion instance

diff --git a/pkg/controller.v1beta1/trial/trial_controller.go b/pkg/controller.v1beta1/trial/trial_controller.go
@@ -146,10 +146,11 @@ type ReconcileTrial struct {
 	collector *trialutil.TrialsCollector
 }
 
-// Reconcile reads that state of the cluster for a Trial object and makes changes based on the state read
-// and what is in the Trial.Spec
 // +kubebuilder:rbac:groups=trials.kubeflow.org,resources=trials,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=trials.kubeflow.org,resources=trials/status,verbs=get;update;patch
+
+// Reconcile reads that state of the cluster for a Trial object and makes changes based on the state read
+// and what is in the Trial.Spec
 func (r *ReconcileTrial) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
 	// Fetch the Trial instance
 	logger := log.WithValues("Trial", request.NamespacedName)