Merge pull request #9 from mzeevi/bug/fixPermissions

added rbac permissions for manager
dana-team · May 7, 2024 · 0464aa4 · 0464aa4
2 parents 8b10414 + 66c98d8
commit 0464aa4
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 18 deletions.
diff --git a/cmd/main.go b/cmd/main.go
@@ -24,6 +24,7 @@ import (
 	envwebhook "github.com/dana-team/env-route-ns-mutator/internal/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
+	configv1 "github.com/openshift/api/config/v1"
 	routev1 "github.com/openshift/api/route/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -45,6 +46,7 @@ var (
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(routev1.Install(scheme))
+	utilruntime.Must(configv1.Install(scheme))
 
 	//+kubebuilder:scaffold:scheme
 }

diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -1,2 +1,8 @@
 resources:
 - manager.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+images:
+- name: controller
+  newName: controller
+  newTag: latest
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -1,15 +1,36 @@
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels:
-    app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/instance: manager-role
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: env-route-ns-mutator
-    app.kubernetes.io/part-of: env-route-ns-mutator
-    app.kubernetes.io/managed-by: kustomize
   name: manager-role
 rules:
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/internal/webhook/namespace_webhook.go b/internal/webhook/namespace_webhook.go
@@ -22,6 +22,8 @@ type NamespaceMutator struct {
 
 const DefaultSchedulerAnnotation = "scheduler.alpha.kubernetes.io/defaultTolerations"
 
+// +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;create;update;patch
+
 // +kubebuilder:webhook:path=/mutate-v1-namespace,mutating=true,failurePolicy=ignore,sideEffects=None,groups="",resources=namespaces,verbs=create;update,versions=v1,name=namespace.dana.io,admissionReviewVersions=v1;v1beta1
 
 func (r *NamespaceMutator) Handle(ctx context.Context, req admission.Request) admission.Response {

diff --git a/internal/webhook/route_webhook.go b/internal/webhook/route_webhook.go
@@ -27,6 +27,9 @@ type RouteMutator struct {
 
 const clusterIngressName = "cluster"
 
+// +kubebuilder:rbac:groups="route.openshift.io",resources=routes,verbs=get;list;watch;create;update;patch
+// +kubebuilder:rbac:groups="config.openshift.io",resources=ingresses,verbs=get;list;watch
+
 // +kubebuilder:webhook:path=/mutate-v1-route,mutating=true,failurePolicy=ignore,sideEffects=None,groups=route.openshift.io,resources=routes,verbs=create;update,versions=v1,name=route.dana.io,admissionReviewVersions=v1;v1beta1
 
 func (r *RouteMutator) Handle(ctx context.Context, req admission.Request) admission.Response {
@@ -52,11 +55,6 @@ func (r *RouteMutator) Handle(ctx context.Context, req admission.Request) admiss
 	}
 
 	environments := environment.GetEnvironments()
-	if err != nil {
-		logger.Error(err, "failed to get environments")
-		return admission.Errored(http.StatusInternalServerError, err)
-	}
-
 	r.handleInner(logger, &route, clusterIngress, environments, namespace.ObjectMeta.Labels)
 
 	marshaledRoute, err := json.Marshal(route)
@@ -76,13 +74,13 @@ func (r *RouteMutator) handleInner(logger logr.Logger, route *routev1.Route, clu
 			switch {
 			case len(routeHost) == 0:
 				routeHost = fmt.Sprintf("%s-%s.%s-%s", route.Name, route.Namespace, env, clusterIngress)
-				logger.Info("Route hostname is empty, modifying to - %q", routeHost)
+				logger.Info("Route hostname is empty, modifying", "routeHost", routeHost)
 			case strings.Contains(routeHost, clusterIngress):
 				environmentIngress := fmt.Sprintf("%s-%s", env, clusterIngress)
 				routeHost = strings.Replace(routeHost, clusterIngress, environmentIngress, 1)
-				logger.Info("Route hostname includes cluster ingress, modifying to - %q", routeHost)
+				logger.Info("Route hostname includes cluster ingress, modifying", "routeHost", routeHost)
 			default:
-				logger.Info("Route hostname is shortened, remains unchanged - %q", routeHost)
+				logger.Info("Route hostname is shortened, remains unchanged", "routeHost", routeHost)
 			}
 
 			route.Spec.Host = routeHost