From 6c10af96b01554890ea0788d068103a3afb54687 Mon Sep 17 00:00:00 2001
From: Vince Prignano <vincepri@vmware.com>
Date: Mon, 1 Jul 2019 11:19:21 -0700
Subject: [PATCH] Add RBAC rules for infrastructure and bootstrap resources
 (#1095)

Signed-off-by: Vince Prignano <vincepri@vmware.com>
---
 config/rbac/role.yaml                        | 31 ++++----------------
 pkg/controller/controller.go                 |  6 ++--
 pkg/controller/machinedeployment/BUILD.bazel |  1 +
 pkg/controller/machineset/BUILD.bazel        |  1 +
 4 files changed, 10 insertions(+), 29 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index d3d450ecadfb..913fddd86653 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -40,32 +40,13 @@ rules:
   - cluster.sigs.k8s.io
   resources:
   - clusters
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - cluster.sigs.k8s.io
-  resources:
+  - clusters/status
   - machines
   - machines/status
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - cluster.sigs.k8s.io
-  resources:
   - machinedeployments
   - machinedeployments/status
+  - machinesets
+  - machinesets/status
   verbs:
   - get
   - list
@@ -75,10 +56,10 @@ rules:
   - patch
   - delete
 - apiGroups:
-  - cluster.sigs.k8s.io
+  - infrastructure.cluster.sigs.k8s.io
+  - bootstrap.cluster.sigs.k8s.io
   resources:
-  - machinesets
-  - machinesets/status
+  - '*'
   verbs:
   - get
   - list
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
index 1f0c6bec2c9e..ae4545bc5be7 100644
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@@ -23,10 +23,8 @@ import (
 // +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;patch
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=cluster.sigs.k8s.io,resources=clusters,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=cluster.sigs.k8s.io,resources=machines;machines/status,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=cluster.sigs.k8s.io,resources=machinedeployments;machinedeployments/status,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=cluster.sigs.k8s.io,resources=machinesets;machinesets/status,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=cluster.sigs.k8s.io,resources=clusters;clusters/status;machines;machines/status;machinedeployments;machinedeployments/status;machinesets;machinesets/status,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=infrastructure.cluster.sigs.k8s.io;bootstrap.cluster.sigs.k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete
 
 // AddToManagerFuncs is a list of functions to add all Controllers to the Manager
 var AddToManagerFuncs []func(manager.Manager) error
diff --git a/pkg/controller/machinedeployment/BUILD.bazel b/pkg/controller/machinedeployment/BUILD.bazel
index dc2e92a20597..de75fb89ff05 100644
--- a/pkg/controller/machinedeployment/BUILD.bazel
+++ b/pkg/controller/machinedeployment/BUILD.bazel
@@ -28,6 +28,7 @@ go_library(
         "//vendor/k8s.io/client-go/util/retry:go_default_library",
         "//vendor/k8s.io/klog:go_default_library",
         "//vendor/k8s.io/utils/integer:go_default_library",
+        "//vendor/k8s.io/utils/pointer:go_default_library",
         "//vendor/sigs.k8s.io/controller-runtime/pkg/client:go_default_library",
         "//vendor/sigs.k8s.io/controller-runtime/pkg/controller:go_default_library",
         "//vendor/sigs.k8s.io/controller-runtime/pkg/handler:go_default_library",
diff --git a/pkg/controller/machineset/BUILD.bazel b/pkg/controller/machineset/BUILD.bazel
index 0941df4943c7..a1e46cb57e42 100644
--- a/pkg/controller/machineset/BUILD.bazel
+++ b/pkg/controller/machineset/BUILD.bazel
@@ -23,6 +23,7 @@ go_library(
         "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//vendor/k8s.io/client-go/tools/record:go_default_library",
         "//vendor/k8s.io/klog:go_default_library",
+        "//vendor/k8s.io/utils/pointer:go_default_library",
         "//vendor/sigs.k8s.io/controller-runtime/pkg/client:go_default_library",
         "//vendor/sigs.k8s.io/controller-runtime/pkg/controller:go_default_library",
         "//vendor/sigs.k8s.io/controller-runtime/pkg/handler:go_default_library",