From 2e4ddbd88b52db824cf4ebb27058417b144cc27c Mon Sep 17 00:00:00 2001 From: Simon Date: Thu, 26 Oct 2023 12:35:48 +0200 Subject: [PATCH] Adds configMap RBAC (#15) * Adds RBAC to read the azure cluster details configmap - Gives permissions for controller SA to read the `extension-manager-configmap` - Need just need to read a specific one in kube-system * Scoping RBAC down to namespaces doesn't work great - Gets stripped out at some point in the tooling --- config/rbac/role.yaml | 8 ++++++++ .../controller/automatedclusterdiscovery_controller.go | 1 + 2 files changed, 9 insertions(+) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 616b700..94c6205 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -4,6 +4,14 @@ kind: ClusterRole metadata: name: manager-role rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/internal/controller/automatedclusterdiscovery_controller.go b/internal/controller/automatedclusterdiscovery_controller.go index 5f2cd8b..0638d53 100644 --- a/internal/controller/automatedclusterdiscovery_controller.go +++ b/internal/controller/automatedclusterdiscovery_controller.go @@ -57,6 +57,7 @@ type AutomatedClusterDiscoveryReconciler struct { //+kubebuilder:rbac:groups=clusters.weave.works,resources=automatedclusterdiscoveries/finalizers,verbs=update //+kubebuilder:rbac:groups=gitops.weave.works,resources=gitopsclusters,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state.