From 0ffdc1a8c2a216a8c85aa84ca67cd62373cd2dbd Mon Sep 17 00:00:00 2001 From: Akos Veres Date: Thu, 28 Jul 2022 09:07:12 +0300 Subject: [PATCH] fix(rbac): Fix rbac permissions (#25) Some permissions were not generated correctly and other permissions were missing an apiGroup definition. Tested locally. --- config/rbac/api_editor_role.yaml | 4 ++-- config/rbac/api_viewer_role.yaml | 4 ++-- config/rbac/checkly_alertchannel_editor_role.yaml | 4 ++-- config/rbac/checkly_alertchannel_viewer_role.yaml | 4 ++-- config/rbac/role.yaml | 4 +++- controllers/checkly/alertchannel_controller.go | 8 ++++---- 6 files changed, 15 insertions(+), 13 deletions(-) diff --git a/config/rbac/api_editor_role.yaml b/config/rbac/api_editor_role.yaml index 29697b6..e7a69c4 100644 --- a/config/rbac/api_editor_role.yaml +++ b/config/rbac/api_editor_role.yaml @@ -5,7 +5,7 @@ metadata: name: api-editor-role rules: - apiGroups: - - check.checklyhq.com + - k8s.checklyhq.com resources: - apis verbs: @@ -17,7 +17,7 @@ rules: - update - watch - apiGroups: - - check.checklyhq.com + - k8s.checklyhq.com resources: - apis/status verbs: diff --git a/config/rbac/api_viewer_role.yaml b/config/rbac/api_viewer_role.yaml index 72284fa..2a808de 100644 --- a/config/rbac/api_viewer_role.yaml +++ b/config/rbac/api_viewer_role.yaml @@ -5,7 +5,7 @@ metadata: name: api-viewer-role rules: - apiGroups: - - check.checklyhq.com + - k8s.checklyhq.com resources: - apis verbs: @@ -13,7 +13,7 @@ rules: - list - watch - apiGroups: - - check.checklyhq.com + - k8s.checklyhq.com resources: - apis/status verbs: diff --git a/config/rbac/checkly_alertchannel_editor_role.yaml b/config/rbac/checkly_alertchannel_editor_role.yaml index 69e8bca..561b965 100644 --- a/config/rbac/checkly_alertchannel_editor_role.yaml +++ b/config/rbac/checkly_alertchannel_editor_role.yaml @@ -5,7 +5,7 @@ metadata: name: alertchannel-editor-role rules: - apiGroups: - - checkly.checklyhq.com + - k8s.checklyhq.com resources: - alertchannels verbs: @@ -17,7 +17,7 @@ rules: - update - watch - apiGroups: - - checkly.checklyhq.com + - k8s.checklyhq.com resources: - alertchannels/status verbs: diff --git a/config/rbac/checkly_alertchannel_viewer_role.yaml b/config/rbac/checkly_alertchannel_viewer_role.yaml index 5e34427..5c39edf 100644 --- a/config/rbac/checkly_alertchannel_viewer_role.yaml +++ b/config/rbac/checkly_alertchannel_viewer_role.yaml @@ -5,7 +5,7 @@ metadata: name: alertchannel-viewer-role rules: - apiGroups: - - checkly.checklyhq.com + - k8s.checklyhq.com resources: - alertchannels verbs: @@ -13,7 +13,7 @@ rules: - list - watch - apiGroups: - - checkly.checklyhq.com + - k8s.checklyhq.com resources: - alertchannels/status verbs: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index aa45aaa..1e158e0 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -5,7 +5,9 @@ metadata: creationTimestamp: null name: manager-role rules: -- resources: +- apiGroups: + - "" + resources: - secrets verbs: - get diff --git a/controllers/checkly/alertchannel_controller.go b/controllers/checkly/alertchannel_controller.go index 423f1e4..531508a 100644 --- a/controllers/checkly/alertchannel_controller.go +++ b/controllers/checkly/alertchannel_controller.go @@ -40,10 +40,10 @@ type AlertChannelReconciler struct { ApiClient checkly.Client } -//+kubebuilder:rbac:groups=checkly.checklyhq.com,resources=alertchannels,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=checkly.checklyhq.com,resources=alertchannels/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=checkly.checklyhq.com,resources=alertchannels/finalizers,verbs=update -//+kubebuilder:rbac:groups=,resources=secrets,verbs=get;list +//+kubebuilder:rbac:groups=k8s.checklyhq.com,resources=alertchannels,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=k8s.checklyhq.com,resources=alertchannels/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=k8s.checklyhq.com,resources=alertchannels/finalizers,verbs=update +//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state.