From 7dfd2e60c0072efa71c77a5168468aedf662bd7f Mon Sep 17 00:00:00 2001 From: Mateusz Gozdek Date: Fri, 7 May 2021 14:52:36 +0200 Subject: [PATCH] [newrelic-infra-operator] Add some comments about RBAC rules So it is easier to figure why certain rules are needed. Signed-off-by: Mateusz Gozdek --- charts/newrelic-infra-operator/templates/clusterrole.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/charts/newrelic-infra-operator/templates/clusterrole.yaml b/charts/newrelic-infra-operator/templates/clusterrole.yaml index 03201c79c..8f3e408cc 100644 --- a/charts/newrelic-infra-operator/templates/clusterrole.yaml +++ b/charts/newrelic-infra-operator/templates/clusterrole.yaml @@ -19,23 +19,27 @@ metadata: labels: {{- include "newrelic-infra-operator.labels" . | nindent 4 }} rules: + {{/* Allow creating and updating secrets with license key for infra agent. */ -}} - apiGroups: [""] resources: - "secrets" verbs: ["get", "update", "patch"] resourceNames: [{{ template "newrelic-infra-operator.fullname" . }}-config] + {{/* resourceNames used above do not support "create" verb. */ -}} - apiGroups: [""] resources: - "secrets" verbs: ["create"] + {{/* "list" and "watch" are required for controller-runtime caching. */ -}} - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterrolebindings"] verbs: ["list", "watch", "get"] - {{/* Our controller needs permission to add the ServiceAccounts from the user to the -infra-agent CRB */ -}} + {{/* Our controller needs permission to add the ServiceAccounts from the user to the -infra-agent CRB. */ -}} - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterrolebindings"] verbs: ["update"] resourceNames: [{{ template "newrelic-infra-operator.fullname" . }}-infra-agent] + {{- /* Controller must have permissions it will grant to other ServiceAccounts. */ -}} {{- include "newrelic-infra-operator.infra-agent-monitoring-rules" . | nindent 2 }} --- {{/* infra-agent is the ClusterRole to be used by the injected agents to get metrics */}}