From 555d7b4ba211e38208d882fa5662c2ddc4db2e3a Mon Sep 17 00:00:00 2001 From: Christian Schlotter Date: Fri, 3 May 2024 16:07:58 +0200 Subject: [PATCH 1/4] optimize rbac across controllers --- bootstrap/kubeadm/config/rbac/role.yaml | 7 +++++- .../controllers/kubeadmconfig_controller.go | 3 ++- config/rbac/role.yaml | 22 ------------------- controlplane/kubeadm/config/rbac/role.yaml | 4 ---- .../internal/controllers/controller.go | 2 +- .../controllers/machinepool_controller.go | 3 +-- .../controllers/cluster/cluster_controller.go | 5 ++--- .../controllers/machine/machine_controller.go | 3 +-- .../machinedeployment_controller.go | 3 +-- .../machinehealthcheck_controller.go | 2 +- .../machineset/machineset_controller.go | 3 +-- .../topology/cluster/cluster_controller.go | 4 ++-- 12 files changed, 18 insertions(+), 43 deletions(-) diff --git a/bootstrap/kubeadm/config/rbac/role.yaml b/bootstrap/kubeadm/config/rbac/role.yaml index e97c00a68311..bd02b0560d41 100644 --- a/bootstrap/kubeadm/config/rbac/role.yaml +++ b/bootstrap/kubeadm/config/rbac/role.yaml @@ -8,7 +8,6 @@ rules: - "" resources: - configmaps - - events - secrets verbs: - create @@ -58,3 +57,9 @@ rules: - get - list - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create diff --git a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go index 183f99c1e288..935d24476dd9 100644 --- a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go +++ b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go @@ -74,7 +74,8 @@ type InitLocker interface { // +kubebuilder:rbac:groups=bootstrap.cluster.x-k8s.io,resources=kubeadmconfigs;kubeadmconfigs/status;kubeadmconfigs/finalizers,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status;machinesets;machines;machines/status;machinepools;machinepools/status,verbs=get;list;watch -// +kubebuilder:rbac:groups="",resources=secrets;events;configmaps,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="",resources=secrets;configmaps,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=core,resources=events,verbs=create // KubeadmConfigReconciler reconciles a KubeadmConfig object. type KubeadmConfigReconciler struct { diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 55346c81bf24..11bba85d5131 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -85,8 +85,6 @@ rules: resources: - clusterclasses verbs: - - create - - delete - get - list - patch @@ -118,8 +116,6 @@ rules: - clusters/finalizers - clusters/status verbs: - - create - - delete - get - list - patch @@ -131,8 +127,6 @@ rules: - clusters - clusters/status verbs: - - create - - delete - get - list - patch @@ -297,22 +291,6 @@ rules: - events verbs: - create - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - "" resources: diff --git a/controlplane/kubeadm/config/rbac/role.yaml b/controlplane/kubeadm/config/rbac/role.yaml index c79787ee7d5e..2bda63f57e20 100644 --- a/controlplane/kubeadm/config/rbac/role.yaml +++ b/controlplane/kubeadm/config/rbac/role.yaml @@ -72,10 +72,6 @@ rules: - events verbs: - create - - get - - list - - patch - - watch - apiGroups: - "" resources: diff --git a/controlplane/kubeadm/internal/controllers/controller.go b/controlplane/kubeadm/internal/controllers/controller.go index 22ba4f0ae2a1..50feb81634ef 100644 --- a/controlplane/kubeadm/internal/controllers/controller.go +++ b/controlplane/kubeadm/internal/controllers/controller.go @@ -62,7 +62,7 @@ const ( kubeadmControlPlaneKind = "KubeadmControlPlane" ) -// +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;patch +// +kubebuilder:rbac:groups=core,resources=events,verbs=create // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io;controlplane.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status,verbs=get;list;watch diff --git a/exp/internal/controllers/machinepool_controller.go b/exp/internal/controllers/machinepool_controller.go index dadaf09a8d8d..354ac35fb81c 100644 --- a/exp/internal/controllers/machinepool_controller.go +++ b/exp/internal/controllers/machinepool_controller.go @@ -50,9 +50,8 @@ import ( "sigs.k8s.io/cluster-api/util/predicates" ) -// +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;patch +// +kubebuilder:rbac:groups=core,resources=events,verbs=create // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch -// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools;machinepools/status;machinepools/finalizers,verbs=get;list;watch;create;update;patch;delete diff --git a/internal/controllers/cluster/cluster_controller.go b/internal/controllers/cluster/cluster_controller.go index 7654b788aa8e..f6a3f7122152 100644 --- a/internal/controllers/cluster/cluster_controller.go +++ b/internal/controllers/cluster/cluster_controller.go @@ -56,11 +56,10 @@ const ( deleteRequeueAfter = 5 * time.Second ) -// +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;patch +// +kubebuilder:rbac:groups=core,resources=events,verbs=create // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;patch -// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io;controlplane.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status;clusters/finalizers,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status;clusters/finalizers,verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch // Reconciler reconciles a Cluster object. diff --git a/internal/controllers/machine/machine_controller.go b/internal/controllers/machine/machine_controller.go index fb2668c5632a..e17d9d70944a 100644 --- a/internal/controllers/machine/machine_controller.go +++ b/internal/controllers/machine/machine_controller.go @@ -65,9 +65,8 @@ var ( errControlPlaneIsBeingDeleted = errors.New("control plane is being deleted") ) -// +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;patch +// +kubebuilder:rbac:groups=core,resources=events,verbs=create // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch -// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines;machines/status;machines/finalizers,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch diff --git a/internal/controllers/machinedeployment/machinedeployment_controller.go b/internal/controllers/machinedeployment/machinedeployment_controller.go index 03edc482858e..5724a3e334fa 100644 --- a/internal/controllers/machinedeployment/machinedeployment_controller.go +++ b/internal/controllers/machinedeployment/machinedeployment_controller.go @@ -55,9 +55,8 @@ var ( // in the MachineDeployment controller. const machineDeploymentManagerName = "capi-machinedeployment" -// +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;patch +// +kubebuilder:rbac:groups=core,resources=events,verbs=create // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch -// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments;machinedeployments/status;machinedeployments/finalizers,verbs=get;list;watch;create;update;patch;delete diff --git a/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go b/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go index 08879720d839..6fedc7c455c9 100644 --- a/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go +++ b/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go @@ -67,7 +67,7 @@ const ( totalTargetKeyLog = "total target" ) -// +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;patch +// +kubebuilder:rbac:groups=core,resources=events,verbs=create // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines;machines/status,verbs=get;list;watch;delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinehealthchecks;machinehealthchecks/status;machinehealthchecks/finalizers,verbs=get;list;watch;update;patch diff --git a/internal/controllers/machineset/machineset_controller.go b/internal/controllers/machineset/machineset_controller.go index 05c9d325a8ad..a72e9114ef92 100644 --- a/internal/controllers/machineset/machineset_controller.go +++ b/internal/controllers/machineset/machineset_controller.go @@ -71,9 +71,8 @@ var ( const machineSetManagerName = "capi-machineset" -// +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;patch +// +kubebuilder:rbac:groups=core,resources=events,verbs=create // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch -// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinesets;machinesets/status;machinesets/finalizers,verbs=get;list;watch;create;update;patch;delete diff --git a/internal/controllers/topology/cluster/cluster_controller.go b/internal/controllers/topology/cluster/cluster_controller.go index 9e9af3ce1d54..696c16a95c29 100644 --- a/internal/controllers/topology/cluster/cluster_controller.go +++ b/internal/controllers/topology/cluster/cluster_controller.go @@ -56,8 +56,8 @@ import ( ) // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io;controlplane.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusterclasses,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusterclasses,verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinehealthchecks,verbs=get;list;watch;create;update;patch;delete From 60340a4817c548c4d719e28a17308978f917d3bc Mon Sep 17 00:00:00 2001 From: Christian Schlotter Date: Fri, 3 May 2024 16:27:13 +0200 Subject: [PATCH 2/4] add update verb where patch is already allowed --- config/rbac/role.yaml | 2 ++ .../internal/controllers/clusterresourceset_controller.go | 2 +- internal/controllers/cluster/cluster_controller.go | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 11bba85d5131..f3fa875db2f3 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -284,6 +284,7 @@ rules: - get - list - patch + - update - watch - apiGroups: - "" @@ -301,6 +302,7 @@ rules: - get - list - patch + - update - watch - apiGroups: - ipam.cluster.x-k8s.io diff --git a/exp/addons/internal/controllers/clusterresourceset_controller.go b/exp/addons/internal/controllers/clusterresourceset_controller.go index a9febf3242f9..8cf1d9825058 100644 --- a/exp/addons/internal/controllers/clusterresourceset_controller.go +++ b/exp/addons/internal/controllers/clusterresourceset_controller.go @@ -52,7 +52,7 @@ import ( var ErrSecretTypeNotSupported = errors.New("unsupported secret type") // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;patch -// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;patch +// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;patch;update // +kubebuilder:rbac:groups=addons.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=addons.cluster.x-k8s.io,resources=clusterresourcesets/status;clusterresourcesets/finalizers,verbs=get;update;patch diff --git a/internal/controllers/cluster/cluster_controller.go b/internal/controllers/cluster/cluster_controller.go index f6a3f7122152..c1b0cce71ba3 100644 --- a/internal/controllers/cluster/cluster_controller.go +++ b/internal/controllers/cluster/cluster_controller.go @@ -57,7 +57,7 @@ const ( ) // +kubebuilder:rbac:groups=core,resources=events,verbs=create -// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;patch +// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;patch;update // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io;controlplane.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status;clusters/finalizers,verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch From 47ec791384c42b62ecbc9dc6963c761c81844762 Mon Sep 17 00:00:00 2001 From: Christian Schlotter Date: Fri, 3 May 2024 16:31:29 +0200 Subject: [PATCH 3/4] add get and watch verb where list is already allowed --- controlplane/kubeadm/config/rbac/role.yaml | 2 ++ controlplane/kubeadm/internal/controllers/controller.go | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/controlplane/kubeadm/config/rbac/role.yaml b/controlplane/kubeadm/config/rbac/role.yaml index 2bda63f57e20..138712d74d1f 100644 --- a/controlplane/kubeadm/config/rbac/role.yaml +++ b/controlplane/kubeadm/config/rbac/role.yaml @@ -52,7 +52,9 @@ rules: resources: - machinepools verbs: + - get - list + - watch - apiGroups: - cluster.x-k8s.io resources: diff --git a/controlplane/kubeadm/internal/controllers/controller.go b/controlplane/kubeadm/internal/controllers/controller.go index 50feb81634ef..4aa03e9b090c 100644 --- a/controlplane/kubeadm/internal/controllers/controller.go +++ b/controlplane/kubeadm/internal/controllers/controller.go @@ -67,7 +67,7 @@ const ( // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io;controlplane.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status,verbs=get;list;watch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines;machines/status,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools,verbs=list +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools,verbs=get;list;watch // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch // KubeadmControlPlaneReconciler reconciles a KubeadmControlPlane object. From 4c8612a424a88caf45d99c64697ba7766e745c8d Mon Sep 17 00:00:00 2001 From: Christian Schlotter Date: Tue, 7 May 2024 17:12:29 +0200 Subject: [PATCH 4/4] RBAC: remove permissions on finalizers subresource because we never use the subresource directly --- bootstrap/kubeadm/config/rbac/role.yaml | 1 - .../controllers/kubeadmconfig_controller.go | 2 +- config/rbac/role.yaml | 48 ------------------- .../clusterresourceset_controller.go | 2 +- .../controllers/machinepool_controller.go | 2 +- .../controllers/cluster/cluster_controller.go | 2 +- .../controllers/machine/machine_controller.go | 2 +- .../machinedeployment_controller.go | 2 +- .../machinehealthcheck_controller.go | 2 +- .../machineset/machineset_controller.go | 2 +- .../machinedeployment_controller.go | 2 +- .../machineset/machineset_controller.go | 2 +- .../docker/config/rbac/role.yaml | 3 -- .../docker/exp/controllers/exp.go | 2 +- .../dockermachinepool_controller.go | 2 +- .../controllers/dockercluster_controller.go | 2 +- .../controllers/dockermachine_controller.go | 2 +- .../inmemory/config/rbac/role.yaml | 2 - .../controllers/inmemorycluster_controller.go | 2 +- .../controllers/inmemorymachine_controller.go | 2 +- 20 files changed, 16 insertions(+), 70 deletions(-) diff --git a/bootstrap/kubeadm/config/rbac/role.yaml b/bootstrap/kubeadm/config/rbac/role.yaml index bd02b0560d41..bf38a7dd6bd3 100644 --- a/bootstrap/kubeadm/config/rbac/role.yaml +++ b/bootstrap/kubeadm/config/rbac/role.yaml @@ -33,7 +33,6 @@ rules: - bootstrap.cluster.x-k8s.io resources: - kubeadmconfigs - - kubeadmconfigs/finalizers - kubeadmconfigs/status verbs: - create diff --git a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go index 935d24476dd9..2499b5e2fcb3 100644 --- a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go +++ b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go @@ -72,7 +72,7 @@ type InitLocker interface { Unlock(ctx context.Context, cluster *clusterv1.Cluster) bool } -// +kubebuilder:rbac:groups=bootstrap.cluster.x-k8s.io,resources=kubeadmconfigs;kubeadmconfigs/status;kubeadmconfigs/finalizers,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=bootstrap.cluster.x-k8s.io,resources=kubeadmconfigs;kubeadmconfigs/status,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status;machinesets;machines;machines/status;machinepools;machinepools/status,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=secrets;configmaps,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=events,verbs=create diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index f3fa875db2f3..25230de2ff76 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -27,7 +27,6 @@ rules: - apiGroups: - addons.cluster.x-k8s.io resources: - - clusterresourcesets/finalizers - clusterresourcesets/status verbs: - get @@ -109,18 +108,6 @@ rules: - get - list - watch -- apiGroups: - - cluster.x-k8s.io - resources: - - clusters - - clusters/finalizers - - clusters/status - verbs: - - get - - list - - patch - - update - - watch - apiGroups: - cluster.x-k8s.io resources: @@ -148,18 +135,6 @@ rules: - cluster.x-k8s.io resources: - machinedeployments - - machinedeployments/finalizers - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - cluster.x-k8s.io - resources: - - machinedeployments - - machinedeployments/finalizers - machinedeployments/status verbs: - create @@ -185,7 +160,6 @@ rules: - cluster.x-k8s.io resources: - machinehealthchecks - - machinehealthchecks/finalizers - machinehealthchecks/status verbs: - get @@ -209,7 +183,6 @@ rules: - cluster.x-k8s.io resources: - machinepools - - machinepools/finalizers - machinepools/status verbs: - create @@ -223,7 +196,6 @@ rules: - cluster.x-k8s.io resources: - machines - - machines/finalizers - machines/status verbs: - create @@ -233,29 +205,10 @@ rules: - patch - update - watch -- apiGroups: - - cluster.x-k8s.io - resources: - - machines - - machines/status - verbs: - - delete - - get - - list - - watch -- apiGroups: - - cluster.x-k8s.io - resources: - - machinesets - verbs: - - get - - list - - watch - apiGroups: - cluster.x-k8s.io resources: - machinesets - - machinesets/finalizers verbs: - get - list @@ -266,7 +219,6 @@ rules: - cluster.x-k8s.io resources: - machinesets - - machinesets/finalizers - machinesets/status verbs: - create diff --git a/exp/addons/internal/controllers/clusterresourceset_controller.go b/exp/addons/internal/controllers/clusterresourceset_controller.go index 8cf1d9825058..7b6865aab00e 100644 --- a/exp/addons/internal/controllers/clusterresourceset_controller.go +++ b/exp/addons/internal/controllers/clusterresourceset_controller.go @@ -54,7 +54,7 @@ var ErrSecretTypeNotSupported = errors.New("unsupported secret type") // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;patch // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;patch;update // +kubebuilder:rbac:groups=addons.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=addons.cluster.x-k8s.io,resources=clusterresourcesets/status;clusterresourcesets/finalizers,verbs=get;update;patch +// +kubebuilder:rbac:groups=addons.cluster.x-k8s.io,resources=clusterresourcesets/status,verbs=get;update;patch // ClusterResourceSetReconciler reconciles a ClusterResourceSet object. type ClusterResourceSetReconciler struct { diff --git a/exp/internal/controllers/machinepool_controller.go b/exp/internal/controllers/machinepool_controller.go index 354ac35fb81c..ab66d6d06bed 100644 --- a/exp/internal/controllers/machinepool_controller.go +++ b/exp/internal/controllers/machinepool_controller.go @@ -53,7 +53,7 @@ import ( // +kubebuilder:rbac:groups=core,resources=events,verbs=create // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools;machinepools/status;machinepools/finalizers,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools;machinepools/status,verbs=get;list;watch;create;update;patch;delete var ( // machinePoolKind contains the schema.GroupVersionKind for the MachinePool type. diff --git a/internal/controllers/cluster/cluster_controller.go b/internal/controllers/cluster/cluster_controller.go index c1b0cce71ba3..97aaa4b2a250 100644 --- a/internal/controllers/cluster/cluster_controller.go +++ b/internal/controllers/cluster/cluster_controller.go @@ -59,7 +59,7 @@ const ( // +kubebuilder:rbac:groups=core,resources=events,verbs=create // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;patch;update // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io;controlplane.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status;clusters/finalizers,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status,verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch // Reconciler reconciles a Cluster object. diff --git a/internal/controllers/machine/machine_controller.go b/internal/controllers/machine/machine_controller.go index e17d9d70944a..30b163b5e07b 100644 --- a/internal/controllers/machine/machine_controller.go +++ b/internal/controllers/machine/machine_controller.go @@ -68,7 +68,7 @@ var ( // +kubebuilder:rbac:groups=core,resources=events,verbs=create // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines;machines/status;machines/finalizers,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines;machines/status,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch // Reconciler reconciles a Machine object. diff --git a/internal/controllers/machinedeployment/machinedeployment_controller.go b/internal/controllers/machinedeployment/machinedeployment_controller.go index 5724a3e334fa..b22eed51912e 100644 --- a/internal/controllers/machinedeployment/machinedeployment_controller.go +++ b/internal/controllers/machinedeployment/machinedeployment_controller.go @@ -58,7 +58,7 @@ const machineDeploymentManagerName = "capi-machinedeployment" // +kubebuilder:rbac:groups=core,resources=events,verbs=create // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments;machinedeployments/status;machinedeployments/finalizers,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments;machinedeployments/status,verbs=get;list;watch;create;update;patch;delete // Reconciler reconciles a MachineDeployment object. type Reconciler struct { diff --git a/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go b/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go index 6fedc7c455c9..b410d1deb7ea 100644 --- a/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go +++ b/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go @@ -70,7 +70,7 @@ const ( // +kubebuilder:rbac:groups=core,resources=events,verbs=create // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines;machines/status,verbs=get;list;watch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinehealthchecks;machinehealthchecks/status;machinehealthchecks/finalizers,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinehealthchecks;machinehealthchecks/status,verbs=get;list;watch;update;patch // Reconciler reconciles a MachineHealthCheck object. type Reconciler struct { diff --git a/internal/controllers/machineset/machineset_controller.go b/internal/controllers/machineset/machineset_controller.go index a72e9114ef92..0b8bc19c2c56 100644 --- a/internal/controllers/machineset/machineset_controller.go +++ b/internal/controllers/machineset/machineset_controller.go @@ -74,7 +74,7 @@ const machineSetManagerName = "capi-machineset" // +kubebuilder:rbac:groups=core,resources=events,verbs=create // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinesets;machinesets/status;machinesets/finalizers,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinesets;machinesets/status,verbs=get;list;watch;create;update;patch;delete // Reconciler reconciles a MachineSet object. type Reconciler struct { diff --git a/internal/controllers/topology/machinedeployment/machinedeployment_controller.go b/internal/controllers/topology/machinedeployment/machinedeployment_controller.go index b12a66826811..04ecda268900 100644 --- a/internal/controllers/topology/machinedeployment/machinedeployment_controller.go +++ b/internal/controllers/topology/machinedeployment/machinedeployment_controller.go @@ -41,7 +41,7 @@ import ( // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters,verbs=get;list;watch -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments;machinedeployments/finalizers,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments,verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinesets,verbs=get;list;watch // Reconciler deletes referenced templates during deletion of topology-owned MachineDeployments. diff --git a/internal/controllers/topology/machineset/machineset_controller.go b/internal/controllers/topology/machineset/machineset_controller.go index f5f30bac1fd8..9407b4777ca7 100644 --- a/internal/controllers/topology/machineset/machineset_controller.go +++ b/internal/controllers/topology/machineset/machineset_controller.go @@ -44,7 +44,7 @@ import ( // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters,verbs=get;list;watch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments,verbs=get;list;watch -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinesets;machinesets/finalizers,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinesets,verbs=get;list;watch;update;patch // Reconciler deletes referenced templates during deletion of topology-owned MachineSets. // The templates are only deleted, if they are not used in other MachineDeployments or MachineSets which are not in deleting state, diff --git a/test/infrastructure/docker/config/rbac/role.yaml b/test/infrastructure/docker/config/rbac/role.yaml index 546705e9a9f6..83f9ac77eb40 100644 --- a/test/infrastructure/docker/config/rbac/role.yaml +++ b/test/infrastructure/docker/config/rbac/role.yaml @@ -75,7 +75,6 @@ rules: - apiGroups: - infrastructure.cluster.x-k8s.io resources: - - dockerclusters/finalizers - dockerclusters/status verbs: - get @@ -96,7 +95,6 @@ rules: - apiGroups: - infrastructure.cluster.x-k8s.io resources: - - dockermachinepools/finalizers - dockermachinepools/status verbs: - get @@ -117,7 +115,6 @@ rules: - apiGroups: - infrastructure.cluster.x-k8s.io resources: - - dockermachines/finalizers - dockermachines/status verbs: - get diff --git a/test/infrastructure/docker/exp/controllers/exp.go b/test/infrastructure/docker/exp/controllers/exp.go index 47b39adb2ce2..24ff85dc4fb1 100644 --- a/test/infrastructure/docker/exp/controllers/exp.go +++ b/test/infrastructure/docker/exp/controllers/exp.go @@ -19,5 +19,5 @@ package controllers // This file adds RBAC permissions to the Docker Infrastructure manager to operate on objects in the experimental API group. // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachinepools,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachinepools/status;dockermachinepools/finalizers,verbs=get;update;patch +// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachinepools/status,verbs=get;update;patch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools;machinepools/status,verbs=get;list;watch diff --git a/test/infrastructure/docker/exp/internal/controllers/dockermachinepool_controller.go b/test/infrastructure/docker/exp/internal/controllers/dockermachinepool_controller.go index a39046f503a3..e763b1e75f09 100644 --- a/test/infrastructure/docker/exp/internal/controllers/dockermachinepool_controller.go +++ b/test/infrastructure/docker/exp/internal/controllers/dockermachinepool_controller.go @@ -77,7 +77,7 @@ type DockerMachinePoolReconciler struct { } // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachinepools,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachinepools/status;dockermachinepools/finalizers,verbs=get;update;patch +// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachinepools/status,verbs=get;update;patch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools;machinepools/status,verbs=get;list;watch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines,verbs=get;list;watch;delete // +kubebuilder:rbac:groups="",resources=secrets;,verbs=get;list;watch diff --git a/test/infrastructure/docker/internal/controllers/dockercluster_controller.go b/test/infrastructure/docker/internal/controllers/dockercluster_controller.go index b5ace259e65c..2316f3e327ff 100644 --- a/test/infrastructure/docker/internal/controllers/dockercluster_controller.go +++ b/test/infrastructure/docker/internal/controllers/dockercluster_controller.go @@ -50,7 +50,7 @@ type DockerClusterReconciler struct { } // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockerclusters,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockerclusters/status;dockerclusters/finalizers,verbs=get;update;patch +// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockerclusters/status,verbs=get;update;patch // Reconcile reads that state of the cluster for a DockerCluster object and makes changes based on the state read // and what is in the DockerCluster.Spec. diff --git a/test/infrastructure/docker/internal/controllers/dockermachine_controller.go b/test/infrastructure/docker/internal/controllers/dockermachine_controller.go index 8b517275acfa..2a2a8d7c01c2 100644 --- a/test/infrastructure/docker/internal/controllers/dockermachine_controller.go +++ b/test/infrastructure/docker/internal/controllers/dockermachine_controller.go @@ -63,7 +63,7 @@ type DockerMachineReconciler struct { } // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachines,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachines/status;dockermachines/finalizers,verbs=get;update;patch +// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachines/status,verbs=get;update;patch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;machinesets;machines,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=secrets;,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch diff --git a/test/infrastructure/inmemory/config/rbac/role.yaml b/test/infrastructure/inmemory/config/rbac/role.yaml index 91e3482a64e9..e344a927db52 100644 --- a/test/infrastructure/inmemory/config/rbac/role.yaml +++ b/test/infrastructure/inmemory/config/rbac/role.yaml @@ -57,7 +57,6 @@ rules: - apiGroups: - infrastructure.cluster.x-k8s.io resources: - - inmemoryclusters/finalizers - inmemoryclusters/status verbs: - get @@ -78,7 +77,6 @@ rules: - apiGroups: - infrastructure.cluster.x-k8s.io resources: - - inmemorymachines/finalizers - inmemorymachines/status verbs: - get diff --git a/test/infrastructure/inmemory/internal/controllers/inmemorycluster_controller.go b/test/infrastructure/inmemory/internal/controllers/inmemorycluster_controller.go index 96392a543e53..22751838d1e3 100644 --- a/test/infrastructure/inmemory/internal/controllers/inmemorycluster_controller.go +++ b/test/infrastructure/inmemory/internal/controllers/inmemorycluster_controller.go @@ -55,7 +55,7 @@ type InMemoryClusterReconciler struct { } // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=inmemoryclusters,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=inmemoryclusters/status;inmemoryclusters/finalizers,verbs=get;update;patch +// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=inmemoryclusters/status,verbs=get;update;patch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters,verbs=get;list;watch // Reconcile reads that state of the cluster for a InMemoryCluster object and makes changes based on the state read diff --git a/test/infrastructure/inmemory/internal/controllers/inmemorymachine_controller.go b/test/infrastructure/inmemory/internal/controllers/inmemorymachine_controller.go index 51666e0d8193..04c97f88d22f 100644 --- a/test/infrastructure/inmemory/internal/controllers/inmemorymachine_controller.go +++ b/test/infrastructure/inmemory/internal/controllers/inmemorymachine_controller.go @@ -68,7 +68,7 @@ type InMemoryMachineReconciler struct { } // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=inmemorymachines,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=inmemorymachines/status;inmemorymachines/finalizers,verbs=get;update;patch +// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=inmemorymachines/status,verbs=get;update;patch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;machinesets;machines,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch