Add permission for create or update submariner resource

tkestack · Jul 11, 2021 · 4568bf2 · 4568bf2
1 parent 02a5709
commit 4568bf2
Show file tree

Hide file tree

Showing 3 changed files with 100 additions and 5 deletions.
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -29,6 +29,7 @@ spec:
         - /manager
         args:
         - --leader-elect
+        - -v=2
         image: controller:latest
         name: manager
         securityContext:

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -6,10 +6,66 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - '*'
+  verbs:
+  - '*'
 - apiGroups:
   - ""
   resources:
-  - configmaps
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - lighthouse.submariner.io
+  resources:
+  - '*'
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  verbs:
+  - create
+  - get
+- apiGroups:
+  - multicluster.x-k8s.io
+  resources:
+  - '*'
   verbs:
   - create
   - delete
@@ -44,3 +100,29 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  - rolebindings
+  - roles
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - get
+- apiGroups:
+  - submariner.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
diff --git a/controllers/fabric_controller.go b/controllers/fabric_controller.go
@@ -54,10 +54,22 @@ const (
 	AllAction    = "all"
 )
 
-//+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=operator.tkestack.io,resources=fabrics,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=operator.tkestack.io,resources=fabrics/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=operator.tkestack.io,resources=fabrics/finalizers,verbs=update
+// +kubebuilder:rbac:groups=apps,resources=*,verbs=*
+// +kubebuilder:rbac:groups=core,resources=*,verbs=*
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings;clusterroles;clusterrolebindings,verbs=get;list;watch;create;update;delete
+// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch;create;update;patch;delete
+
+// +kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,verbs=get
+// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;create
+
+// +kubebuilder:rbac:groups=discovery.k8s.io,resources=endpointslices,verbs=get;list;watch;create;update;patch;delete;deletecollection
+// +kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=lighthouse.submariner.io,resources=*,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=submariner.io,resources=*,verbs=*
+
+// +kubebuilder:rbac:groups=operator.tkestack.io,resources=fabrics,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=operator.tkestack.io,resources=fabrics/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=operator.tkestack.io,resources=fabrics/finalizers,verbs=update
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.