From 6334788ff410eec76ab00d133cc023a1f212ba09 Mon Sep 17 00:00:00 2001
From: Dharmjit Singh <sdharmjit@vmware.com>
Date: Mon, 13 Jun 2022 03:59:39 +0000
Subject: [PATCH] Added kubebuilder markers for RBACs for CSR

---
 config/rbac/role.yaml                                | 12 ++++++++----
 .../infrastructure/byoadmission_controller.go        |  2 ++
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 2a1420348..239fe5a26 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -42,19 +42,23 @@ rules:
   - certificates.k8s.io
   resources:
   - certificatesigningrequests
-  - certificatesigningrequests/approval
   verbs:
   - create
-  - update
   - get
   - list
   - watch
 - apiGroups:
   - certificates.k8s.io
   resources:
-  - signers
+  - certificatesigningrequests/approval
+  verbs:
+  - update
+- apiGroups:
+  - certificates.k8s.io
   resourceNames:
-  - "kubernetes.io/kube-apiserver-client"  
+  - kubernetes.io/kube-apiserver-client
+  resources:
+  - signers
   verbs:
   - approve
 - apiGroups:
diff --git a/controllers/infrastructure/byoadmission_controller.go b/controllers/infrastructure/byoadmission_controller.go
index 0679bc060..699b87ef5 100644
--- a/controllers/infrastructure/byoadmission_controller.go
+++ b/controllers/infrastructure/byoadmission_controller.go
@@ -25,6 +25,8 @@ type ByoAdmissionReconciler struct {
 }
 
 //+kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=create;get;list;watch
+//+kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests/approval,verbs=update
+//+kubebuilder:rbac:groups=certificates.k8s.io,resources=signers,resourceNames=kubernetes.io/kube-apiserver-client,verbs=approve
 
 // Reconcile continuosuly checks for CSRs and approves them
 func (r *ByoAdmissionReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {