Skip to content

Commit

Permalink
v2: correct and test controller RBAC
Browse files Browse the repository at this point in the history
Prior to this commit the declared permissions for the RedpandaReconciler had
become out of date. This went unnoticed due to tests utilizing admin
permissions or the inflated permissions required for executing `rpk debug
bundle`.

This commit corrects the permission declaration of the RedpandaReconciler,
updates its tests to use the ClusterRole and Role generated by controller-gen,
and adds a test to statically assert the correctness of the permissions.
  • Loading branch information
chrisseto committed Nov 12, 2024
1 parent c97d279 commit 6678387
Show file tree
Hide file tree
Showing 13 changed files with 628 additions and 180 deletions.
66 changes: 19 additions & 47 deletions operator/config/rbac/bases/operator/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -97,10 +97,10 @@ rules:
- apiGroups:
- cluster.redpanda.com
resources:
- schemas
- topics
- users
- redpandas
verbs:
- create
- delete
- get
- list
- patch
Expand All @@ -109,6 +109,7 @@ rules:
- apiGroups:
- cluster.redpanda.com
resources:
- redpandas/finalizers
- schemas/finalizers
- topics/finalizers
- users/finalizers
Expand All @@ -117,13 +118,26 @@ rules:
- apiGroups:
- cluster.redpanda.com
resources:
- redpandas/status
- schemas/status
- topics/status
- users/status
verbs:
- get
- patch
- update
- apiGroups:
- cluster.redpanda.com
resources:
- schemas
- topics
- users
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
Expand Down Expand Up @@ -155,6 +169,7 @@ rules:
- clusterroles
verbs:
- create
- delete
- get
- list
- patch
Expand Down Expand Up @@ -309,50 +324,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- cluster.redpanda.com
resources:
- redpandas
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- cluster.redpanda.com
resources:
- redpandas/finalizers
- schemas/finalizers
- topics/finalizers
- users/finalizers
verbs:
- update
- apiGroups:
- cluster.redpanda.com
resources:
- redpandas/status
- schemas/status
- topics/status
- users/status
verbs:
- get
- patch
- update
- apiGroups:
- cluster.redpanda.com
resources:
- schemas
- topics
- users
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- coordination.k8s.io
resources:
Expand Down Expand Up @@ -394,6 +365,7 @@ rules:
- apiGroups:
- monitoring.coreos.com
resources:
- podmonitors
- servicemonitors
verbs:
- create
Expand Down
103 changes: 45 additions & 58 deletions operator/config/rbac/v2-manager-role/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,9 @@ rules:
- apiGroups:
- ""
resources:
- configmaps
- nodes
- secrets
verbs:
- get
- list
Expand All @@ -26,10 +28,10 @@ rules:
- apiGroups:
- cluster.redpanda.com
resources:
- schemas
- topics
- users
- redpandas
verbs:
- create
- delete
- get
- list
- patch
Expand All @@ -38,6 +40,7 @@ rules:
- apiGroups:
- cluster.redpanda.com
resources:
- redpandas/finalizers
- schemas/finalizers
- topics/finalizers
- users/finalizers
Expand All @@ -46,13 +49,39 @@ rules:
- apiGroups:
- cluster.redpanda.com
resources:
- redpandas/status
- schemas/status
- topics/status
- users/status
verbs:
- get
- patch
- update
- apiGroups:
- cluster.redpanda.com
resources:
- schemas
- topics
- users
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
Expand All @@ -63,15 +92,13 @@ rules:
- apiGroups:
- ""
resources:
- events
- configmaps
- pods
- secrets
- serviceaccounts
- services
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- delete
- get
- list
Expand All @@ -81,12 +108,15 @@ rules:
- apiGroups:
- ""
resources:
- pods
- secrets
- serviceaccounts
- services
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- delete
- get
- list
Expand Down Expand Up @@ -158,50 +188,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- cluster.redpanda.com
resources:
- redpandas
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- cluster.redpanda.com
resources:
- redpandas/finalizers
- schemas/finalizers
- topics/finalizers
- users/finalizers
verbs:
- update
- apiGroups:
- cluster.redpanda.com
resources:
- redpandas/status
- schemas/status
- topics/status
- users/status
verbs:
- get
- patch
- update
- apiGroups:
- cluster.redpanda.com
resources:
- schemas
- topics
- users
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- helm.toolkit.fluxcd.io
resources:
Expand Down Expand Up @@ -231,6 +217,7 @@ rules:
- apiGroups:
- monitoring.coreos.com
resources:
- podmonitors
- servicemonitors
verbs:
- create
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ const (

var ErrZeroReplicas = errors.New("redpanda replicas is zero")

// +kubebuilder:rbac:groups=cluster.redpanda.com,namespace=default,resources=redpandas,verbs=get;list;watch;
// +kubebuilder:rbac:groups=cluster.redpanda.com,resources=redpandas,verbs=get;list;watch;
// +kubebuilder:rbac:groups=core,namespace=default,resources=pods,verbs=update;patch;delete;get;list;watch;
// +kubebuilder:rbac:groups=core,namespace=default,resources=pods/status,verbs=update;patch
// +kubebuilder:rbac:groups=core,namespace=default,resources=persistentvolumeclaims,verbs=get;list;update;patch;delete;watch
Expand Down
18 changes: 8 additions & 10 deletions operator/internal/controller/redpanda/redpanda_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,27 +104,25 @@ type RedpandaReconciler struct {

// any resource that Redpanda helm creates and flux controller needs to reconcile them
// +kubebuilder:rbac:groups="",namespace=default,resources=pods,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,namespace=default,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,namespace=default,resources=roles,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,namespace=default,resources=roles;rolebindings,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=batch,namespace=default,resources=jobs,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,namespace=default,resources=secrets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,namespace=default,resources=services,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,namespace=default,resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=core,namespace=default,resources=configmaps;secrets;services;serviceaccounts,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=apps,namespace=default,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete;
// +kubebuilder:rbac:groups=policy,namespace=default,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=apps,namespace=default,resources=deployments,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=cert-manager.io,namespace=default,resources=certificates,verbs=get;create;update;patch;delete;list;watch
// +kubebuilder:rbac:groups=cert-manager.io,namespace=default,resources=issuers,verbs=get;create;update;patch;delete;list;watch
// +kubebuilder:rbac:groups="monitoring.coreos.com",namespace=default,resources=servicemonitors,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=networking.k8s.io,namespace=default,resources=ingresses,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="monitoring.coreos.com",namespace=default,resources=podmonitors;servicemonitors,verbs=get;list;watch;create;update;patch;delete

// Console chart
// +kubebuilder:rbac:groups=autoscaling,namespace=default,resources=horizontalpodautoscalers,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=networking.k8s.io,namespace=default,resources=ingresses,verbs=get;list;watch;create;update;patch;delete

// redpanda resources
// +kubebuilder:rbac:groups=cluster.redpanda.com,namespace=default,resources=redpandas,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=cluster.redpanda.com,namespace=default,resources=redpandas/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=cluster.redpanda.com,namespace=default,resources=redpandas/finalizers,verbs=update
// +kubebuilder:rbac:groups=cluster.redpanda.com,resources=redpandas,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=cluster.redpanda.com,resources=redpandas/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=cluster.redpanda.com,resources=redpandas/finalizers,verbs=update
// +kubebuilder:rbac:groups=core,namespace=default,resources=events,verbs=create;patch

// SetupWithManager sets up the controller with the Manager.
Expand Down
Loading

0 comments on commit 6678387

Please sign in to comment.