From 1275232e15290b4dae148f3689760b6fe85b4d52 Mon Sep 17 00:00:00 2001 From: dvirgilad Date: Wed, 4 Dec 2024 08:53:30 +0000 Subject: [PATCH] fix: enable impersonation of serviceaccounts --- charts/hns/templates/manager-rbac-clusterrole.yaml | 1 + config/rbac/role.yaml | 1 + internal/migrationhierarchy/controller.go | 1 + internal/updatequota/controller.go | 1 + 4 files changed, 4 insertions(+) diff --git a/charts/hns/templates/manager-rbac-clusterrole.yaml b/charts/hns/templates/manager-rbac-clusterrole.yaml index b840bfcf..9dcc2604 100644 --- a/charts/hns/templates/manager-rbac-clusterrole.yaml +++ b/charts/hns/templates/manager-rbac-clusterrole.yaml @@ -39,6 +39,7 @@ rules: - "" resources: - users + - serviceaccounts verbs: - impersonate - apiGroups: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 8651330c..3cacb5d2 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -38,6 +38,7 @@ rules: - "" resources: - users + - serviceaccounts verbs: - impersonate - apiGroups: diff --git a/internal/migrationhierarchy/controller.go b/internal/migrationhierarchy/controller.go index cb282198..4197bc80 100644 --- a/internal/migrationhierarchy/controller.go +++ b/internal/migrationhierarchy/controller.go @@ -35,6 +35,7 @@ type MigrationHierarchyReconciler struct { // +kubebuilder:rbac:groups=dana.hns.io,resources=migrationhierarchies,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=dana.hns.io,resources=migrationhierarchies/status,verbs=get;update;patch // +kubebuilder:rbac:groups="",resources=users,verbs=impersonate +// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=impersonate func (r *MigrationHierarchyReconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). diff --git a/internal/updatequota/controller.go b/internal/updatequota/controller.go index c3f92bc7..dcfd2a9a 100644 --- a/internal/updatequota/controller.go +++ b/internal/updatequota/controller.go @@ -31,6 +31,7 @@ type UpdateQuotaReconciler struct { // +kubebuilder:rbac:groups=dana.hns.io,resources=updatequota/status,verbs=get;update;patch // +kubebuilder:rbac:groups=user.openshift.io,resources=groups,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=users,verbs=impersonate +// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=impersonate func (r *UpdateQuotaReconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr).