fix rbac

sapcc · Feb 8, 2024 · f1127b3 · f1127b3
1 parent 816bea0
commit f1127b3
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 7 deletions.
diff --git a/cmd/main.go b/cmd/main.go
@@ -71,6 +71,7 @@ func main() {
 	flag.StringVar(&config.Cfg.NodeTopologyLabel, "node-topology-label", "topology.kubernetes.io/zone", "The node topology label to handle peer discovery.")
 	flag.StringVar(&config.Cfg.JobImageName, "job-image-name", "cni-nanny-discovery", "The name of bgp peer discovery image.")
 	flag.StringVar(&config.Cfg.JobImageTag, "job-image-tag", "latest", "The tag of bgp peer discovery image.")
+	flag.StringVar(&config.Cfg.ServiceAccount, "service-account-name", "cni-nanny-controller-manager", "The name of service account for bgp peer discovery.")
 	flag.IntVar(&config.Cfg.BgpRemoteAs, "bgp-remote-as", 12345, "The remote autonomous system of bgp peers.")
 	flag.IntVar(&requeueInterval, "requeue-interval", 5, "requeue interval in minutes")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
@@ -108,12 +109,13 @@ func main() {
 	}
 
 	if err = (&bgpcontroller.BgpPeerDiscoveryReconciler{
-		Client:       mgr.GetClient(),
-		Scheme:       mgr.GetScheme(),
-		DefaultName:  config.Cfg.DefaultName,
-		Namespace:    config.Cfg.Namespace,
-		JobImageName: config.Cfg.JobImageName,
-		JobImageTag:  config.Cfg.JobImageTag,
+		Client:         mgr.GetClient(),
+		Scheme:         mgr.GetScheme(),
+		DefaultName:    config.Cfg.DefaultName,
+		Namespace:      config.Cfg.Namespace,
+		JobImageName:   config.Cfg.JobImageName,
+		JobImageTag:    config.Cfg.JobImageTag,
+		ServiceAccount: config.Cfg.ServiceAccount,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "BgpPeerDiscovery")
 		os.Exit(1)

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -1,5 +1,5 @@
 # Adds namespace to all resources.
-namespace: kube-system
+namespace: cni-nanny
 
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -4,6 +4,26 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - bgp.cninanny.sap.cc
   resources:

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -33,6 +33,7 @@ type Config struct {
 	StartingIP        net.IP
 	JobImageName      string
 	JobImageTag       string
+	ServiceAccount    string
 	BgpNeighborCount  int
 	BgpRemoteAs       int
 }
diff --git a/internal/controller/bgp/bgppeerdiscovery_controller.go b/internal/controller/bgp/bgppeerdiscovery_controller.go
@@ -42,12 +42,14 @@ type BgpPeerDiscoveryReconciler struct {
 	Namespace       string
 	JobImageName    string
 	JobImageTag     string
+	ServiceAccount  string
 	RequeueInterval time.Duration
 }
 
 //+kubebuilder:rbac:groups=bgp.cninanny.sap.cc,resources=bgppeerdiscoveries,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=bgp.cninanny.sap.cc,resources=bgppeerdiscoveries/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=bgp.cninanny.sap.cc,resources=bgppeerdiscoveries/finalizers,verbs=update
+//+kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -143,6 +145,7 @@ func (r BgpPeerDiscoveryReconciler) createDiscoveryJob(ctx context.Context, conf
 	job.Spec.Template.Spec.RestartPolicy = corev1.RestartPolicyNever
 	job.Spec.Template.Spec.NodeSelector = sel
 	job.Spec.Template.Spec.HostNetwork = true
+	job.Spec.Template.Spec.ServiceAccountName = conf.ServiceAccount
 	job.Spec.Template.Spec.Tolerations = []corev1.Toleration{
 		{
 			Operator: corev1.TolerationOpExists,

diff --git a/internal/controller/topology/labeldiscovery_controller.go b/internal/controller/topology/labeldiscovery_controller.go
@@ -44,6 +44,7 @@ type LabelDiscoveryReconciler struct {
 //+kubebuilder:rbac:groups=topology.cninanny.sap.cc,resources=labeldiscoveries,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=topology.cninanny.sap.cc,resources=labeldiscoveries/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=topology.cninanny.sap.cc,resources=labeldiscoveries/finalizers,verbs=update
+//+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.