Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Role and Clusterrole binding are not generated correctly #760

Open
RealAnna opened this issue Jan 12, 2023 · 1 comment
Open

Role and Clusterrole binding are not generated correctly #760

RealAnna opened this issue Jan 12, 2023 · 1 comment
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature.

Comments

@RealAnna
Copy link

CONTROLLER_TOOLS_VERSION=v0.10.0

command:
controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases

What I did:
My controller needs to access both a cluster resource and a namespaced one so I use both annotations to autogenerate rbac rules.

What happened:
When annotating the controller with both namespaced and cluster rbac rules both roles are created but, only one binding.

What I would expect:
Both bindings for the clusterrole and the role are generated

How To Reproduce:

  1. In a kubebuilder PROJECT annotate a controller with
//clusterrole
// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=get;list;watch;update;

//role
// +kubebuilder:rbac:groups="",namespace=mynamespace,resources=secrets,verbs=get;list;watch;create;update;patch;delete

  1. Run make manifests or controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases

  2. Observe that the role.yaml file has both ClusterRole and Role correctly generated

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: manager-role
rules:
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  verbs:
  - get
  - list
  - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: manager-role
  namespace: mynamespace
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
  1. Check that role_binding.yaml has only the ClusterRole bindings
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
  name: manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manager-role
subjects:
- kind: ServiceAccount
  name: cert-manager
  namespace: system

Temporary fix
I could manually add the other binding and list it in the kustomization.yaml, but I would expect the tool to generate both in the role_binding.yaml
@camilamacedo86
Copy link
Member

If you try to move forward to use Roles instead of ClusterRole then it does not properly without manually changes. More info: https://sdk.operatorframework.io/docs/building-operators/golang/operator-scope/#changing-the-permissions-to-namespaced

However, would be great if we could change controller-gen to do this. Please, feel free to contribute with this one and push a pull request to address this need.

@camilamacedo86 camilamacedo86 added kind/feature Categorizes issue or PR as related to a new feature. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Jan 31, 2023
@Anddd7 Anddd7 mentioned this issue Aug 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

✨ Generate role binding based on generated role Anddd7/controller-tools
2 participants
@camilamacedo86 @RealAnna