diff --git a/config/deployment/rbac_role_binding.yaml b/config/deployment/rbac_role_binding.yaml index 3a76d186e..d9dd880d5 100644 --- a/config/deployment/rbac_role_binding.yaml +++ b/config/deployment/rbac_role_binding.yaml @@ -10,4 +10,18 @@ roleRef: subjects: - kind: ServiceAccount name: fdb-kubernetes-operator-controller-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + name: manager-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fdb-kubernetes-operator-manager-clusterrole +subjects: +- kind: ServiceAccount + name: fdb-kubernetes-operator-controller-manager + namespace: metadata.namespace diff --git a/config/rbac/cluster_role.yaml b/config/rbac/cluster_role.yaml new file mode 100644 index 000000000..e7aea3ac4 --- /dev/null +++ b/config/rbac/cluster_role.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-clusterrole +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index b4dab00bf..83f22ee62 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -2,3 +2,4 @@ kind: Kustomization apiVersion: kustomize.config.k8s.io/v1beta1 resources: - role.yaml +- cluster_role.yaml diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index b5ff077be..957aeb28b 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -22,14 +22,6 @@ rules: - patch - update - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - apiGroups: - apps resources: diff --git a/config/samples/deployment.yaml b/config/samples/deployment.yaml index 38d8dedd0..61d727c59 100644 --- a/config/samples/deployment.yaml +++ b/config/samples/deployment.yaml @@ -5,6 +5,21 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + creationTimestamp: null + name: fdb-kubernetes-operator-manager-clusterrole +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: creationTimestamp: null name: fdb-kubernetes-operator-manager-role @@ -26,14 +41,6 @@ rules: - patch - update - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - apiGroups: - apps resources: @@ -132,6 +139,20 @@ subjects: - kind: ServiceAccount name: fdb-kubernetes-operator-controller-manager --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + name: fdb-kubernetes-operator-manager-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fdb-kubernetes-operator-manager-clusterrole +subjects: +- kind: ServiceAccount + name: fdb-kubernetes-operator-controller-manager + namespace: metadata.namespace +--- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/controllers/cluster_controller.go b/controllers/cluster_controller.go index 3aab51026..7e1904c49 100644 --- a/controllers/cluster_controller.go +++ b/controllers/cluster_controller.go @@ -78,7 +78,6 @@ func NewFoundationDBClusterReconciler(podLifecycleManager podmanager.PodLifecycl // +kubebuilder:rbac:groups=apps.foundationdb.org,resources=foundationdbclusters/status,verbs=get;update;patch // +kubebuilder:rbac:groups="",resources=pods;configmaps;persistentvolumeclaims;events;secrets;services,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups="coordination.k8s.io",resources=leases,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch // Reconcile runs the reconciliation logic. func (r *FoundationDBClusterReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {