fix: enable impersonation of serviceaccounts

dana-team · Dec 4, 2024 · 1275232 · 1275232
1 parent 285a0ca
commit 1275232
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 0 deletions.
diff --git a/charts/hns/templates/manager-rbac-clusterrole.yaml b/charts/hns/templates/manager-rbac-clusterrole.yaml
@@ -39,6 +39,7 @@ rules:
   - ""
   resources:
   - users
+  - serviceaccounts
   verbs:
   - impersonate
 - apiGroups:

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -38,6 +38,7 @@ rules:
   - ""
   resources:
   - users
+  - serviceaccounts
   verbs:
   - impersonate
 - apiGroups:

diff --git a/internal/migrationhierarchy/controller.go b/internal/migrationhierarchy/controller.go
@@ -35,6 +35,7 @@ type MigrationHierarchyReconciler struct {
 // +kubebuilder:rbac:groups=dana.hns.io,resources=migrationhierarchies,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=dana.hns.io,resources=migrationhierarchies/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups="",resources=users,verbs=impersonate
+// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=impersonate
 
 func (r *MigrationHierarchyReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).

diff --git a/internal/updatequota/controller.go b/internal/updatequota/controller.go
@@ -31,6 +31,7 @@ type UpdateQuotaReconciler struct {
 // +kubebuilder:rbac:groups=dana.hns.io,resources=updatequota/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=user.openshift.io,resources=groups,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=users,verbs=impersonate
+// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=impersonate
 
 func (r *UpdateQuotaReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).