Grant deployment manager server account permissions to read managed clusters and secrets #82
Conversation
jhernand
force-pushed
the
grant_deployment_manager_server_account_permissions_to_read_managed_clusters_and_secrets
branch
3 times, most recently
from
0d18c0d to
6e84e45
Compare
config/manager/kustomization.yaml
Outdated
| @@ -9,5 +9,5 @@ generatorOptions: | |||
|
|
|||
| images: | |||
| - name: controller | |||
| newName: quay.io/jhernand/o2ims-operator | |||
| newTag: "2" | |||
| newName: quay.io/imihai/oran-o2ims-operator | |||
There was a problem hiding this comment.
Could we change this to the final name which would be quay.io/openshift-kni/oran-o2ims-operator?
| roleName := fmt.Sprintf("%s-%s", orano2ims.Namespace, utils.ORANO2IMSAlarmSubscriptionServerName) | ||
| bindingName := fmt.Sprintf("%s-%s", orano2ims.Namespace, utils.ORANO2IMSAlarmSubscriptionServerName) | ||
|
|
||
| // Grant the service account permissions to read the objects it needs, for example managed |
There was a problem hiding this comment.
We could consider moving the creation of the ClusterRole & ClusterRoleBinding to their own functions, like for the other resources create by the operator.
There was a problem hiding this comment.
Yes, makes sense, will do it.
|
|
||
| // Grant the service account permissions to read the objects it needs, for example managed | ||
| // clusters: | ||
| role := &rbacv1.ClusterRole{ |
There was a problem hiding this comment.
I think it would be a good idea to use the utils.CreateK8sCR function for creating these new resources for 2 reasons:
- It sets the owner resource, so when the
orano2imsCR is deleted, these resources will also be deleted. - If anyone is to update these resources, the operator will PATCH/UPDATE them to the expected values so that everything works as expected.
Please ignore these if they are not relevant to what you had in mind.
There was a problem hiding this comment.
I agree, will do it.
This patch regenerates manifest files generated by `make generate` and `make bundle`. Signed-off-by: Juan Hernandez <[email protected]>
The service account that is used to run the deployment manager server needs permissions to read `ManagedCluster` objects and assisted installer admin kubeconfig secrets. This patch changes the operator so that it creates the corresponding cluster roles and cluster role bindings. In order to do so the operator needs to also have those permissions, as Kubernetes forbids granting more permissions than the service account granting them already has. So this patch also adds those permissions to the service account that is used to run the operator. Signed-off-by: Juan Hernandez <[email protected]>
jhernand
force-pushed
the
grant_deployment_manager_server_account_permissions_to_read_managed_clusters_and_secrets
branch
from
6e84e45 to
010cea8
Compare
|
@irinamihai I think I addressed all your suggestions, please take another look. |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: irinamihai The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
jhernand
deleted the
grant_deployment_manager_server_account_permissions_to_read_managed_clusters_and_secrets
branch
The service account that is used to run the deployment manager server needs permissions to read
ManagedClusterobjects and assisted installer admin kubeconfig secrets. This patch changes the operator so that it creates the corresponding cluster roles and cluster role bindings. In order to do so the operator needs to also have those permissions, as Kubernetes forbids granting more permissions than the service account granting them already has. So this patch also adds those permissions to the service account that is used to run the operator.