From a0f1def64330dead5e5ed375c6c4688efa1674e2 Mon Sep 17 00:00:00 2001 From: Christian Ang Date: Tue, 31 Jan 2023 19:23:05 +0000 Subject: [PATCH] Add RBAC for GlobalInClusterIPPools Co-authored-by: Tyler Schultz --- config/crd/kustomization.yaml | 1 + .../globalinclusterippool_editor_role.yaml | 24 +++++++++++++++++ .../globalinclusterippool_viewer_role.yaml | 20 ++++++++++++++ config/rbac/role.yaml | 26 +++++++++++++++++++ internal/controllers/ipaddressclaim.go | 3 +++ 5 files changed, 74 insertions(+) create mode 100644 config/rbac/globalinclusterippool_editor_role.yaml create mode 100644 config/rbac/globalinclusterippool_viewer_role.yaml diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 1c2de21..c0aee64 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -3,6 +3,7 @@ # It should be run by config/default resources: - bases/ipam.cluster.x-k8s.io_inclusterippools.yaml +- bases/ipam.cluster.x-k8s.io_globalinclusterippools.yaml #+kubebuilder:scaffold:crdkustomizeresource patchesStrategicMerge: diff --git a/config/rbac/globalinclusterippool_editor_role.yaml b/config/rbac/globalinclusterippool_editor_role.yaml new file mode 100644 index 0000000..349f0c2 --- /dev/null +++ b/config/rbac/globalinclusterippool_editor_role.yaml @@ -0,0 +1,24 @@ +# permissions for end users to edit globalinclusterippools. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: globalinclusterippool-editor-role +rules: +- apiGroups: + - ipam.cluster.x-k8s.io + resources: + - globalinclusterippools + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ipam.cluster.x-k8s.io + resources: + - globalinclusterippools/status + verbs: + - get diff --git a/config/rbac/globalinclusterippool_viewer_role.yaml b/config/rbac/globalinclusterippool_viewer_role.yaml new file mode 100644 index 0000000..f4540fc --- /dev/null +++ b/config/rbac/globalinclusterippool_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions for end users to view globalinclusterippools. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: globalinclusterippool-viewer-role +rules: +- apiGroups: + - ipam.cluster.x-k8s.io + resources: + - globalinclusterippools + verbs: + - get + - list + - watch +- apiGroups: + - ipam.cluster.x-k8s.io + resources: + - globalinclusterippools/status + verbs: + - get diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 5929e03..a14309b 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -6,6 +6,32 @@ metadata: creationTimestamp: null name: manager-role rules: +- apiGroups: + - ipam.cluster.x-k8s.io + resources: + - globalinclusterippools + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ipam.cluster.x-k8s.io + resources: + - globalinclusterippools/finalizers + verbs: + - update +- apiGroups: + - ipam.cluster.x-k8s.io + resources: + - globalinclusterippools/status + verbs: + - get + - patch + - update - apiGroups: - ipam.cluster.x-k8s.io resources: diff --git a/internal/controllers/ipaddressclaim.go b/internal/controllers/ipaddressclaim.go index a37c6b2..2ad1cab 100644 --- a/internal/controllers/ipaddressclaim.go +++ b/internal/controllers/ipaddressclaim.go @@ -81,6 +81,9 @@ func (r *IPAddressClaimReconciler) SetupWithManager(ctx context.Context, mgr ctr //+kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=inclusterippools,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=inclusterippools/status,verbs=get;update;patch //+kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=inclusterippools/finalizers,verbs=update +//+kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=globalinclusterippools,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=globalinclusterippools/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=globalinclusterippools/finalizers,verbs=update //+kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=ipaddressclaims,verbs=get;list;watch;update;patch //+kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=ipaddresses,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=ipaddressclaims/status;ipaddresses/status,verbs=get;update;patch