Skip to content

Commit

Permalink
fix: add missing RBAC policy rules for Konnect entities (#735)
Browse files Browse the repository at this point in the history
  • Loading branch information
@pmalek
pmalek authored Oct 10, 2024
1 parent 0780829 commit 0480a50
Show file tree
Hide file tree
Showing 4 changed files with 144 additions and 40 deletions.
87 changes: 68 additions & 19 deletions config/rbac/role/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,9 +127,6 @@ rules:
resources:
- ingressclassparameterses
- kongclusterplugins
- kongconsumergroups
- kongconsumers
- kongcredentialbasicauths
- kongcustomentities
- kongingresses
- konglicenses
Expand All @@ -143,14 +140,73 @@ rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongcacertificates
- kongcertificates
- kongconsumergroups
- kongconsumers
- kongcredentialacls
- kongcredentialapikeys
- kongcredentialbasicauths
- kongcredentialhmacs
- kongcredentialjwts
- kongdataplaneclientcertificates
- kongkeys
- kongkeysets
- kongroutes
- kongservices
- kongsnis
- kongtargets
- kongupstreams
- kongvaults
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongcacertificates/finalizers
- kongcertificates/finalizers
- kongconsumergroups/finalizers
- kongconsumers/finalizers
- kongcredentialacls/finalizers
- kongcredentialapikeys/finalizers
- kongcredentialbasicauths/finalizers
- kongcredentialhmacs/finalizers
- kongcredentialjwts/finalizers
- kongdataplaneclientcertificates/finalizers
- kongkeys/finalizers
- kongkeysets/finalizers
- kongroutes/finalizers
- kongservices/finalizers
- kongsnis/finalizers
- kongtargets/finalizers
- kongupstreams/finalizers
- kongvaults/finalizers
verbs:
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongcacertificates/status
- kongcertificates/status
- kongclusterplugins/status
- kongconsumergroups/status
- kongconsumers/status
- kongcredentialacls/status
- kongcredentialapikeys/status
- kongcredentialbasicauths/status
- kongcredentialhmacs/status
- kongcredentialjwts/status
- kongcustomentities/status
- kongdataplaneclientcertificates/status
- kongingresses/status
- kongkeys/status
- kongkeysets/status
- konglicenses/status
- kongpluginbindings/status
- kongplugins/status
- kongroutes/status
- kongservices/status
Expand Down Expand Up @@ -178,21 +234,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongroutes
- kongservices
- kongsnis
- kongtargets
- kongupstreams
- kongvaults
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- coordination.k8s.io
resources:
Expand Down Expand Up @@ -358,6 +399,14 @@ rules:
- patch
- update
- watch
- apiGroups:
- konnect.konghq.com
resources:
- konnectapiauthconfigurations/finalizers
- konnectgatewaycontrolplanes/finalizers
verbs:
- patch
- update
- apiGroups:
- konnect.konghq.com
resources:
Expand Down
12 changes: 10 additions & 2 deletions controller/konnect/reconciler_generic_pluginbindingfinalizer_rbac.go
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,15 @@
package konnect

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongservices,verbs=get;update
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongservices,verbs=get
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongservices/finalizers,verbs=update

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongroutes,verbs=get;update
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongroutes,verbs=get
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongroutes/finalizers,verbs=update

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumers,verbs=get
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumers/finalizers,verbs=update

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumergroups,verbs=get
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumergroups/finalizers,verbs=update

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongpluginbindings,verbs=delete;list
80 changes: 62 additions & 18 deletions controller/konnect/reconciler_generic_rbac.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,38 +2,82 @@ package konnect

//+kubebuilder:rbac:groups=konnect.konghq.com,resources=konnectapiauthconfigurations,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=konnect.konghq.com,resources=konnectapiauthconfigurations/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=konnect.konghq.com,resources=konnectapiauthconfigurations/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=konnect.konghq.com,resources=konnectgatewaycontrolplanes,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=konnect.konghq.com,resources=konnectgatewaycontrolplanes/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=konnect.konghq.com,resources=konnectgatewaycontrolplanes/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongservices,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongservices/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongpluginbindings,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongpluginbindings/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcacertificates,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcacertificates/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcacertificates/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongroutes,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongroutes/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcertificates,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcertificates/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcertificates/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongupstreams,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongupstreams/status,verbs=get;update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongtargets,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongtargets/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumergroups,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumergroups/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumergroups/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumers,verbs=get;list;watch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumers,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumers/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumers/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumergroups,verbs=get;list;watch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumergroups/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialacls,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialacls/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialacls/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialapikeys,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialapikeys/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialapikeys/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialbasicauths,verbs=get;list;watch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialbasicauths,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialbasicauths/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialbasicauths/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongvaults,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongvaults/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialhmacs,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialhmacs/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialhmacs/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialjwts,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialjwts/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongcredentialjwts/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongdataplaneclientcertificates,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongdataplaneclientcertificates/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongdataplaneclientcertificates/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongkeys,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongkeys/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongkeys/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongkeysets,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongkeysets/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongkeysets/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongroutes,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongroutes/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongroutes/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongservices,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongservices/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongservices/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongsnis,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongsnis/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongsnis/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongtargets,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongtargets/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongtargets/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongupstreams,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongupstreams/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongupstreams/finalizers,verbs=update;patch

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongvaults,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongvaults/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongvaults/finalizers,verbs=update;patch
5 changes: 4 additions & 1 deletion controller/konnect/reconciler_kongplugin_rbac.go
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
package konnect

//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongplugins,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumers,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongconsumergroups,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongservices,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongpluginbindings,verbs=get;list;create;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongroutes,verbs=get;list;watch;update;patch
//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongpluginbindings,verbs=get;list;create;watch;update;patch;delete

0 comments on commit 0480a50

Please sign in to comment.