From 0c7641e7aaec8be1d47f12b004546e935bb1fa55 Mon Sep 17 00:00:00 2001 From: matancarmeli7 Date: Mon, 10 Apr 2023 09:14:43 +0300 Subject: [PATCH 1/4] add roles to operator Signed-off-by: matancarmeli7 --- config/rbac/role.yaml | 42 +++++++++++++++++ .../crutils/static_resource_generator.go | 45 ++++++++++++++++--- .../generated/ibm-block-csi-operator.yaml | 42 +++++++++++++++++ 3 files changed, 122 insertions(+), 7 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 11fc8cb81..0d45b378a 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -275,3 +275,45 @@ rules: - volumeattachments/status verbs: - patch +- apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroupclasses + verbs: + - get + - list + - watch +- apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroupcontents + verbs: + - get + - list + - watch +- apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroups/finalizers + verbs: + - update +- apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroups/status + verbs: + - get + - patch + - update \ No newline at end of file diff --git a/controllers/internal/crutils/static_resource_generator.go b/controllers/internal/crutils/static_resource_generator.go index c34ececeb..cfcccfd1a 100644 --- a/controllers/internal/crutils/static_resource_generator.go +++ b/controllers/internal/crutils/static_resource_generator.go @@ -28,7 +28,8 @@ import ( const ( snapshotStorageApiGroup string = "snapshot.storage.k8s.io" securityOpenshiftApiGroup string = "security.openshift.io" - volumeGroupApiGroup string = "csi.ibm.com" + IBMVolumeGroupApiGroup string = "csi.ibm.com" + communityVolumeGroupApiGroup string = "volumegroup.storage.openshift.io" storageApiGroup string = "storage.k8s.io" rbacAuthorizationApiGroup string = "rbac.authorization.k8s.io" replicationStorageOpenshiftApiGroup string = "replication.storage.openshift.io" @@ -412,32 +413,62 @@ func (c *IBMBlockCSI) GenerateVolumeGroupClusterRole() *rbacv1.ClusterRole { }, Rules: []rbacv1.PolicyRule{ { - APIGroups: []string{volumeGroupApiGroup}, + APIGroups: []string{communityVolumeGroupApiGroup}, Resources: []string{volumeGroupsResources}, Verbs: []string{verbGet, verbList, verbWatch, verbCreate, verbUpdate, verbPatch, verbDelete}, }, { - APIGroups: []string{volumeGroupApiGroup}, + APIGroups: []string{communityVolumeGroupApiGroup}, Resources: []string{volumeGroupsStatusResource}, Verbs: []string{verbGet, verbUpdate, verbPatch}, }, { - APIGroups: []string{volumeGroupApiGroup}, + APIGroups: []string{communityVolumeGroupApiGroup}, Resources: []string{volumeGroupsFinalizersResource}, Verbs: []string{verbUpdate}, }, { - APIGroups: []string{volumeGroupApiGroup}, + APIGroups: []string{communityVolumeGroupApiGroup}, Resources: []string{volumeGroupClassesResource}, Verbs: []string{verbGet, verbList, verbWatch}, }, { - APIGroups: []string{volumeGroupApiGroup}, + APIGroups: []string{communityVolumeGroupApiGroup}, Resources: []string{volumeGroupContentsResource}, Verbs: []string{verbGet, verbList, verbWatch, verbCreate, verbUpdate, verbPatch, verbDelete}, }, { - APIGroups: []string{volumeGroupApiGroup}, + APIGroups: []string{communityVolumeGroupApiGroup}, + Resources: []string{volumeGroupContentsStatusResource}, + Verbs: []string{verbGet, verbList, verbWatch, verbCreate, verbUpdate, verbPatch, verbDelete}, + }, + { + APIGroups: []string{IBMVolumeGroupApiGroup}, + Resources: []string{volumeGroupsResources}, + Verbs: []string{verbGet, verbList, verbWatch, verbCreate, verbUpdate, verbPatch, verbDelete}, + }, + { + APIGroups: []string{IBMVolumeGroupApiGroup}, + Resources: []string{volumeGroupsStatusResource}, + Verbs: []string{verbGet, verbUpdate, verbPatch}, + }, + { + APIGroups: []string{IBMVolumeGroupApiGroup}, + Resources: []string{volumeGroupsFinalizersResource}, + Verbs: []string{verbUpdate}, + }, + { + APIGroups: []string{IBMVolumeGroupApiGroup}, + Resources: []string{volumeGroupClassesResource}, + Verbs: []string{verbGet, verbList, verbWatch}, + }, + { + APIGroups: []string{IBMVolumeGroupApiGroup}, + Resources: []string{volumeGroupContentsResource}, + Verbs: []string{verbGet, verbList, verbWatch, verbCreate, verbUpdate, verbPatch, verbDelete}, + }, + { + APIGroups: []string{IBMVolumeGroupApiGroup}, Resources: []string{volumeGroupContentsStatusResource}, Verbs: []string{verbGet, verbList, verbWatch, verbCreate, verbUpdate, verbPatch, verbDelete}, }, diff --git a/deploy/installer/generated/ibm-block-csi-operator.yaml b/deploy/installer/generated/ibm-block-csi-operator.yaml index fdda5c748..16dca9c49 100644 --- a/deploy/installer/generated/ibm-block-csi-operator.yaml +++ b/deploy/installer/generated/ibm-block-csi-operator.yaml @@ -2067,6 +2067,48 @@ rules: - volumeattachments/status verbs: - patch +- apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroupclasses + verbs: + - get + - list + - watch +- apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroupcontents + verbs: + - get + - list + - watch +- apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroups/finalizers + verbs: + - update +- apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroups/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding From 99fdff70f8d475d785704f98d7d7af641990fb01 Mon Sep 17 00:00:00 2001 From: matancarmeli7 Date: Mon, 10 Apr 2023 09:15:26 +0300 Subject: [PATCH 2/4] add new line Signed-off-by: matancarmeli7 --- config/rbac/role.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 0d45b378a..e7032b27d 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -316,4 +316,4 @@ rules: verbs: - get - patch - - update \ No newline at end of file + - update From 934c3c9ba3cc3a4804feb5951dec27af61a8df8e Mon Sep 17 00:00:00 2001 From: matancarmeli7 Date: Mon, 10 Apr 2023 09:56:54 +0300 Subject: [PATCH 3/4] add more permissions to vgc Signed-off-by: matancarmeli7 --- config/rbac/role.yaml | 12 ++++++++++++ .../internal/crutils/static_resource_generator.go | 4 ++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index e7032b27d..32bbdb2d6 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -288,8 +288,12 @@ rules: resources: - volumegroupcontents verbs: + - create + - delete - get - list + - patch + - update - watch - apiGroups: - volumegroup.storage.openshift.io @@ -317,3 +321,11 @@ rules: - get - patch - update +- apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroupcontents/status + verbs: + - get + - patch + - update diff --git a/controllers/internal/crutils/static_resource_generator.go b/controllers/internal/crutils/static_resource_generator.go index cfcccfd1a..ce551feda 100644 --- a/controllers/internal/crutils/static_resource_generator.go +++ b/controllers/internal/crutils/static_resource_generator.go @@ -440,7 +440,7 @@ func (c *IBMBlockCSI) GenerateVolumeGroupClusterRole() *rbacv1.ClusterRole { { APIGroups: []string{communityVolumeGroupApiGroup}, Resources: []string{volumeGroupContentsStatusResource}, - Verbs: []string{verbGet, verbList, verbWatch, verbCreate, verbUpdate, verbPatch, verbDelete}, + Verbs: []string{verbGet, verbUpdate, verbPatch}, }, { APIGroups: []string{IBMVolumeGroupApiGroup}, @@ -470,7 +470,7 @@ func (c *IBMBlockCSI) GenerateVolumeGroupClusterRole() *rbacv1.ClusterRole { { APIGroups: []string{IBMVolumeGroupApiGroup}, Resources: []string{volumeGroupContentsStatusResource}, - Verbs: []string{verbGet, verbList, verbWatch, verbCreate, verbUpdate, verbPatch, verbDelete}, + Verbs: []string{verbGet, verbUpdate, verbPatch}, }, { APIGroups: []string{""}, From b93cb28fd1734832e3c968d40a7d7d9d8ee7c7e9 Mon Sep 17 00:00:00 2001 From: matancarmeli7 Date: Mon, 10 Apr 2023 10:04:52 +0300 Subject: [PATCH 4/4] update yaml files Signed-off-by: matancarmeli7 --- .../generated/ibm-block-csi-operator.yaml | 12 +++++ ...perator.v1.12.0.clusterserviceversion.yaml | 54 +++++++++++++++++++ ...ck-csi-operator.clusterserviceversion.yaml | 54 +++++++++++++++++++ 3 files changed, 120 insertions(+) diff --git a/deploy/installer/generated/ibm-block-csi-operator.yaml b/deploy/installer/generated/ibm-block-csi-operator.yaml index 16dca9c49..831b8c97f 100644 --- a/deploy/installer/generated/ibm-block-csi-operator.yaml +++ b/deploy/installer/generated/ibm-block-csi-operator.yaml @@ -2080,8 +2080,12 @@ rules: resources: - volumegroupcontents verbs: + - create + - delete - get - list + - patch + - update - watch - apiGroups: - volumegroup.storage.openshift.io @@ -2109,6 +2113,14 @@ rules: - get - patch - update +- apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroupcontents/status + verbs: + - get + - patch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/deploy/olm-catalog/ibm-block-csi-operator-community/1.12.0/manifests/ibm-block-csi-operator.v1.12.0.clusterserviceversion.yaml b/deploy/olm-catalog/ibm-block-csi-operator-community/1.12.0/manifests/ibm-block-csi-operator.v1.12.0.clusterserviceversion.yaml index bc89e50d4..652c09cec 100644 --- a/deploy/olm-catalog/ibm-block-csi-operator-community/1.12.0/manifests/ibm-block-csi-operator.v1.12.0.clusterserviceversion.yaml +++ b/deploy/olm-catalog/ibm-block-csi-operator-community/1.12.0/manifests/ibm-block-csi-operator.v1.12.0.clusterserviceversion.yaml @@ -608,6 +608,60 @@ spec: - volumeattachments/status verbs: - patch + - apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroupclasses + verbs: + - get + - list + - watch + - apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroupcontents + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroups/finalizers + verbs: + - update + - apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroups/status + verbs: + - get + - patch + - update + - apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroupcontents/status + verbs: + - get + - patch + - update deployments: - name: ibm-block-csi-operator diff --git a/deploy/olm-catalog/ibm-block-csi-operator/1.12.0/manifests/ibm-block-csi-operator.clusterserviceversion.yaml b/deploy/olm-catalog/ibm-block-csi-operator/1.12.0/manifests/ibm-block-csi-operator.clusterserviceversion.yaml index 57daf012e..ec0c45ee5 100644 --- a/deploy/olm-catalog/ibm-block-csi-operator/1.12.0/manifests/ibm-block-csi-operator.clusterserviceversion.yaml +++ b/deploy/olm-catalog/ibm-block-csi-operator/1.12.0/manifests/ibm-block-csi-operator.clusterserviceversion.yaml @@ -598,6 +598,60 @@ spec: - volumeattachments/status verbs: - patch + - apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroupclasses + verbs: + - get + - list + - watch + - apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroupcontents + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroups/finalizers + verbs: + - update + - apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroups/status + verbs: + - get + - patch + - update + - apiGroups: + - volumegroup.storage.openshift.io + resources: + - volumegroupcontents/status + verbs: + - get + - patch + - update deployments: - name: ibm-block-csi-operator