Merge pull request kubevirt#12099 from kubevirt-bot/cherry-pick-12089…

…-to-release-1.2 [release-1.2] Collect component Role rules under operator Role instead of ClusterRole
kubevirt-bot · Jun 12, 2024 · a7f093b · a7f093b
2 parents acea01a + cd1408e
commit a7f093b
Show file tree

Hide file tree

Showing 4 changed files with 169 additions and 132 deletions.
diff --git a/manifests/generated/operator-csv.yaml.in b/manifests/generated/operator-csv.yaml.in
@@ -464,14 +464,6 @@ spec:
           - create
           - list
           - get
-        - apiGroups:
-          - ""
-          resources:
-          - configmaps
-          verbs:
-          - get
-          - list
-          - watch
         - apiGroups:
           - ""
           resources:
@@ -721,42 +713,6 @@ spec:
           verbs:
           - list
           - watch
-        - apiGroups:
-          - route.openshift.io
-          resources:
-          - routes
-          verbs:
-          - list
-          - get
-          - watch
-        - apiGroups:
-          - ""
-          resources:
-          - secrets
-          verbs:
-          - list
-          - get
-          - watch
-        - apiGroups:
-          - networking.k8s.io
-          resources:
-          - ingresses
-          verbs:
-          - list
-          - get
-          - watch
-        - apiGroups:
-          - coordination.k8s.io
-          resources:
-          - leases
-          verbs:
-          - get
-          - list
-          - watch
-          - delete
-          - update
-          - create
-          - patch
         - apiGroups:
           - kubevirt.io
           resources:
@@ -813,14 +769,6 @@ spec:
           - get
           - list
           - watch
-        - apiGroups:
-          - ""
-          resources:
-          - configmaps
-          verbs:
-          - get
-          - list
-          - watch
         - apiGroups:
           - export.kubevirt.io
           resources:
@@ -836,16 +784,6 @@ spec:
           verbs:
           - list
           - watch
-        - apiGroups:
-          - ""
-          resourceNames:
-          - kubevirt-export-ca
-          resources:
-          - configmaps
-          verbs:
-          - get
-          - list
-          - watch
         - apiGroups:
           - kubevirt.io
           resources:
@@ -1447,6 +1385,68 @@ spec:
           - update
           - create
           - patch
+        - apiGroups:
+          - ""
+          resources:
+          - configmaps
+          verbs:
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - route.openshift.io
+          resources:
+          - routes
+          verbs:
+          - list
+          - get
+          - watch
+        - apiGroups:
+          - ""
+          resources:
+          - secrets
+          verbs:
+          - list
+          - get
+          - watch
+        - apiGroups:
+          - networking.k8s.io
+          resources:
+          - ingresses
+          verbs:
+          - list
+          - get
+          - watch
+        - apiGroups:
+          - coordination.k8s.io
+          resources:
+          - leases
+          verbs:
+          - get
+          - list
+          - watch
+          - delete
+          - update
+          - create
+          - patch
+        - apiGroups:
+          - ""
+          resources:
+          - configmaps
+          verbs:
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - ""
+          resourceNames:
+          - kubevirt-export-ca
+          resources:
+          - configmaps
+          verbs:
+          - get
+          - list
+          - watch
         serviceAccountName: kubevirt-operator
     strategy: deployment
   installModes:

diff --git a/manifests/generated/rbac-operator.authorization.k8s.yaml.in b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
@@ -75,6 +75,68 @@ rules:
   - update
   - create
   - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  verbs:
+  - list
+  - get
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - list
+  - get
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - list
+  - get
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - delete
+  - update
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - kubevirt-export-ca
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -404,14 +466,6 @@ rules:
   - create
   - list
   - get
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -661,42 +715,6 @@ rules:
   verbs:
   - list
   - watch
-- apiGroups:
-  - route.openshift.io
-  resources:
-  - routes
-  verbs:
-  - list
-  - get
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - list
-  - get
-  - watch
-- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingresses
-  verbs:
-  - list
-  - get
-  - watch
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - get
-  - list
-  - watch
-  - delete
-  - update
-  - create
-  - patch
 - apiGroups:
   - kubevirt.io
   resources:
@@ -753,14 +771,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - export.kubevirt.io
   resources:
@@ -776,16 +786,6 @@ rules:
   verbs:
   - list
   - watch
-- apiGroups:
-  - ""
-  resourceNames:
-  - kubevirt-export-ca
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - kubevirt.io
   resources:

diff --git a/pkg/virt-operator/resource/generate/rbac/operator.go b/pkg/virt-operator/resource/generate/rbac/operator.go
@@ -317,15 +317,14 @@ func NewOperatorClusterRole() *rbacv1.ClusterRole {
 	}
 
 	// now append all rules needed by KubeVirt's components
-	operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsRules()...)
+	operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsClusterRules()...)
 	return operatorRole
 }
 
-func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
-
+func getKubeVirtComponentsClusterRules() []rbacv1.PolicyRule {
 	var rules []rbacv1.PolicyRule
 
-	// namespace doesn't matter, we are only interested in the rules of both Roles and ClusterRoles
+	// namespace doesn't matter, we are only interested in the rules of ClusterRoles
 	all := GetAllApiServer("")
 	all = append(all, GetAllController("")...)
 	all = append(all, GetAllHandler("")...)
@@ -337,9 +336,6 @@ func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
 		case *rbacv1.ClusterRole:
 			role, _ := resource.(*rbacv1.ClusterRole)
 			rules = append(rules, role.Rules...)
-		case *rbacv1.Role:
-			role, _ := resource.(*rbacv1.Role)
-			rules = append(rules, role.Rules...)
 		}
 	}
 
@@ -375,6 +371,27 @@ func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
 	return rules
 }
 
+func getKubeVirtComponentsRules() []rbacv1.PolicyRule {
+	var rules []rbacv1.PolicyRule
+
+	// namespace doesn't matter, we are only interested in the rules
+	all := GetAllApiServer("")
+	all = append(all, GetAllController("")...)
+	all = append(all, GetAllHandler("")...)
+	all = append(all, GetAllExportProxy("")...)
+	all = append(all, GetAllCluster()...)
+
+	for _, resource := range all {
+		switch resource.(type) {
+		case *rbacv1.Role:
+			role, _ := resource.(*rbacv1.Role)
+			rules = append(rules, role.Rules...)
+		}
+	}
+
+	return rules
+}
+
 func newOperatorClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding {
 	return &rbacv1.ClusterRoleBinding{
 		TypeMeta: metav1.TypeMeta{
@@ -432,7 +449,7 @@ func newOperatorRoleBinding(namespace string) *rbacv1.RoleBinding {
 
 // NewOperatorRole creates a Role object for kubevirt-operator.
 func NewOperatorRole(namespace string) *rbacv1.Role {
-	return &rbacv1.Role{
+	operatorRole := &rbacv1.Role{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: VersionNamev1,
 			Kind:       "Role",
@@ -527,6 +544,8 @@ func NewOperatorRole(namespace string) *rbacv1.Role {
 			},
 		},
 	}
+	operatorRole.Rules = append(operatorRole.Rules, getKubeVirtComponentsRules()...)
+	return operatorRole
 }
 
 func GetKubevirtComponentsServiceAccounts(namespace string) map[string]bool {