From 49645577e10f490ea83a32be0e7c07119ec1dbd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=A9=B1=E5=BA=B8?= Date: Fri, 11 Feb 2022 15:21:57 +0800 Subject: [PATCH] fix: fix rbac for operator --- config/rbac/role.yaml | 78 +++++++++++++++++++ deploy/obcluster.yaml | 1 - deploy/operator.yaml | 65 ++++++++++++++++ .../observer/core/obcluster_controller.go | 9 +++ 4 files changed, 152 insertions(+), 1 deletion(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index cbda3ed6e..45a16410a 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -39,6 +39,84 @@ rules: - get - patch - update +- apiGroups: + - cloud.oceanbase.com + resources: + - obzones + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cloud.oceanbase.com + resources: + - obzones/finalizers + verbs: + - update +- apiGroups: + - cloud.oceanbase.com + resources: + - obzones/status + verbs: + - get + - patch + - update +- apiGroups: + - cloud.oceanbase.com + resources: + - rootservices + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cloud.oceanbase.com + resources: + - rootservices/finalizers + verbs: + - update +- apiGroups: + - cloud.oceanbase.com + resources: + - rootservices/status + verbs: + - get + - patch + - update +- apiGroups: + - cloud.oceanbase.com + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cloud.oceanbase.com + resources: + - services/finalizers + verbs: + - update +- apiGroups: + - cloud.oceanbase.com + resources: + - services/status + verbs: + - get + - patch + - update - apiGroups: - cloud.oceanbase.com resources: diff --git a/deploy/obcluster.yaml b/deploy/obcluster.yaml index f5521576f..5fb78ad92 100644 --- a/deploy/obcluster.yaml +++ b/deploy/obcluster.yaml @@ -1,7 +1,6 @@ apiVersion: cloud.oceanbase.com/v1 kind: OBCluster metadata: - namespace: ob name: ob-test spec: version: v3.1.2-10000392021123010 diff --git a/deploy/operator.yaml b/deploy/operator.yaml index bd1bdec9d..9e4672e12 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -88,6 +88,58 @@ rules: - get - patch - update +- apiGroups: + - cloud.oceanbase.com + resources: + - obzones + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cloud.oceanbase.com + resources: + - obzones/finalizers + verbs: + - update +- apiGroups: + - cloud.oceanbase.com + resources: + - obzones/status + verbs: + - get + - patch + - update +- apiGroups: + - cloud.oceanbase.com + resources: + - rootservices + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cloud.oceanbase.com + resources: + - rootservices/finalizers + verbs: + - update +- apiGroups: + - cloud.oceanbase.com + resources: + - rootservices/status + verbs: + - get + - patch + - update - apiGroups: - cloud.oceanbase.com resources: @@ -120,6 +172,18 @@ rules: - get - patch - update +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - "" resources: @@ -321,6 +385,7 @@ spec: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 - --leader-elect + - --cluster-name=cn command: - /manager image: oceanbase/obce-operator:v0.0.1 diff --git a/pkg/controllers/observer/core/obcluster_controller.go b/pkg/controllers/observer/core/obcluster_controller.go index 57028f9f6..3cfeb984a 100644 --- a/pkg/controllers/observer/core/obcluster_controller.go +++ b/pkg/controllers/observer/core/obcluster_controller.go @@ -50,9 +50,18 @@ type OBClusterCtrlOperator interface { // +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=obclusters,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=obclusters/status,verbs=get;update;patch // +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=obclusters/finalizers,verbs=update +// +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=rootservices,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=rootservices/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=rootservices/finalizers,verbs=update +// +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=obzones,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=obzones/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=obzones/finalizers,verbs=update // +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=statefulapps,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=statefulapps/status,verbs=get;update;patch // +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=statefulapps/finalizers,verbs=update +// +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=services,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=services/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=cloud.oceanbase.com,resources=services/finalizers,verbs=update // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch func (r *OBClusterReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {