From f760061c0b26fea3580903ab8daa3320f9950a74 Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Tue, 3 May 2022 10:52:10 -0400 Subject: [PATCH 1/2] Add RBAC recommendations for controllers The parent and child reconciler each make client requests based on the resources being reconciled. We should give guidance to users as to what RBAC permissions are required to effectively use the reconcilers. The RBAC permissions are defined as kubebuilder annotations that can be parsed and converted into a ClusterRole via controller-gen. Signed-off-by: Scott Andrews --- README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/README.md b/README.md index bb9e544..1349f27 100644 --- a/README.md +++ b/README.md @@ -67,6 +67,16 @@ func FunctionReconciler(c reconcilers.Config) *reconcilers.ParentReconciler { ``` [full source](https://github.com/projectriff/system/blob/4c3b75327bf99cc37b57ba14df4c65d21dc79d28/pkg/controllers/build/function_reconciler.go#L39-L51) +**Recommended RBAC:** + +Replace `` and `` with values for the parent type. + +```go +// +kubebuilder:rbac:groups=,resources=,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=,resources=/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;update;patch;delete +``` + ### SubReconciler The [`SubReconciler`](https://pkg.go.dev/github.com/vmware-labs/reconciler-runtime/reconcilers#SubReconciler) interface defines the contract between the parent and sub reconcilers. @@ -196,6 +206,14 @@ func FunctionChildImageReconciler(c reconcilers.Config) reconcilers.SubReconcile ``` [full source](https://github.com/projectriff/system/blob/4c3b75327bf99cc37b57ba14df4c65d21dc79d28/pkg/controllers/build/function_reconciler.go#L76-L151) +**Recommended RBAC:** + +Replace `` and `` with values for the child type. + +```go +// +kubebuilder:rbac:groups=,resources=,verbs=get;list;watch;create;update;patch;delete +``` + ### Higher-order Reconcilers Higher order reconcilers are SubReconcilers that do not perform work directly, but instead compose other SubReconcilers in new patterns. From 81719e3202ad69bf6b38d44dedb9dc151b9d66b4 Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Tue, 3 May 2022 11:31:38 -0400 Subject: [PATCH 2/2] also show yaml examples Signed-off-by: Scott Andrews --- README.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/README.md b/README.md index 1349f27..134a75c 100644 --- a/README.md +++ b/README.md @@ -77,6 +77,25 @@ Replace `` and `` with values for the parent type. // +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;update;patch;delete ``` +or + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: # any name that is bound to the ServiceAccount used by the client +rules: +- apiGroups: [""] + resources: [""] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: [""] + resources: ["/status"] + verbs: ["get", "update", "patch"] +- apiGroups: ["core"] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +``` + ### SubReconciler The [`SubReconciler`](https://pkg.go.dev/github.com/vmware-labs/reconciler-runtime/reconcilers#SubReconciler) interface defines the contract between the parent and sub reconcilers. @@ -214,6 +233,20 @@ Replace `` and `` with values for the child type. // +kubebuilder:rbac:groups=,resources=,verbs=get;list;watch;create;update;patch;delete ``` +or + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: # any name that is bound to the ServiceAccount used by the client +rules: +- apiGroups: [""] + resources: [""] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +``` + + ### Higher-order Reconcilers Higher order reconcilers are SubReconcilers that do not perform work directly, but instead compose other SubReconcilers in new patterns.