diff --git a/apis/autoscaling/scheme/scheme.go b/apis/autoscaling/scheme/scheme.go index 6f4f7d7d..12fb622a 100644 --- a/apis/autoscaling/scheme/scheme.go +++ b/apis/autoscaling/scheme/scheme.go @@ -1,3 +1,19 @@ +/* +Copyright 2023 Vesoft Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package scheme import ( diff --git a/charts/nebula-operator/templates/controller-manager-rbac.yaml b/charts/nebula-operator/templates/controller-manager-rbac.yaml index 228edcb7..a202d6b0 100644 --- a/charts/nebula-operator/templates/controller-manager-rbac.yaml +++ b/charts/nebula-operator/templates/controller-manager-rbac.yaml @@ -362,7 +362,6 @@ rules: verbs: - get - list - - watch - apiGroups: - apiextensions.k8s.io resources: @@ -374,6 +373,20 @@ rules: - update - patch - create + - apiGroups: + - custom.metrics.k8s.io + resources: + - '*' + verbs: + - get + - list + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -390,4 +403,18 @@ subjects: name: {{ template "controller-manager.name" . }}-sa namespace: {{ template "nebula-operator.namespace" . }} --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "controller-manager.name" . }}:system:auth-delegator + labels: + {{- include "controller-manager.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: {{ template "controller-manager.name" . }}-sa + namespace: {{ template "nebula-operator.namespace" . }} {{- end }} diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 8e3699f1..ca777089 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -25,6 +25,13 @@ rules: - create - list - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list - apiGroups: - "" resources: @@ -279,6 +286,13 @@ rules: - patch - update - watch +- apiGroups: + - custom.metrics.k8s.io + resources: + - '*' + verbs: + - get + - list - apiGroups: - metrics.k8s.io resources: @@ -286,7 +300,6 @@ rules: verbs: - get - list - - watch - apiGroups: - rbac.authorization.k8s.io resources: diff --git a/pkg/controller/autoscaler/autoscaler.go b/pkg/controller/autoscaler/autoscaler.go index 4d65b312..31bfd8ce 100644 --- a/pkg/controller/autoscaler/autoscaler.go +++ b/pkg/controller/autoscaler/autoscaler.go @@ -186,8 +186,10 @@ func NewHorizontalController( return hpaController, nil } -// +kubebuilder:rbac:groups="metrics.k8s.io",resources=pods,verbs=get;list;watch -// +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="custom.metrics.k8s.io",resources=*,verbs=get;list +// +kubebuilder:rbac:groups="metrics.k8s.io",resources=pods,verbs=get;list +// +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch +// +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch;list // +kubebuilder:rbac:groups=apps.nebula-graph.io,resources=nebulaclusters,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=apps.nebula-graph.io,resources=nebulaclusters/status,verbs=get;update;patch