fix: add RBAC permissions for clusterrole (#10060)

(cherry picked from commit 65dfc72)

Author: leon-ape

config/rbac/role.yaml

@@ -486,12 +486,6 @@ rules:
   - serviceaccounts/finalizers
   verbs:
   - update
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts/status
-  verbs:
-  - get
 - apiGroups:
   - ""
   resources:
@@ -937,7 +931,7 @@ rules:
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
-  - rolebindings
+  - clusterroles
   verbs:
   - create
   - delete
@@ -949,15 +943,27 @@ rules:
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
-  - rolebindings/finalizers
+  - clusterroles/finalizers
   verbs:
   - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
-  - rolebindings/status
+  - rolebindings
   verbs:
+  - create
+  - delete
   - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings/finalizers
+  verbs:
+  - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
@@ -976,12 +982,6 @@ rules:
   - roles/finalizers
   verbs:
   - update
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - roles/status
-  verbs:
-  - get
 - apiGroups:
   - snapshot.storage.k8s.io
   resources:

controllers/apps/component/component_controller.go

@@ -92,14 +92,14 @@ type ComponentReconciler struct {
 // read only + watch access
 // +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=get;list;watch
 
-// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch
-// +kubebuilder:rbac:groups=core,resources=serviceaccounts/status,verbs=get
+// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=serviceaccounts/finalizers,verbs=update
 
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings/status,verbs=get
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles/finalizers,verbs=update
 
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles/status,verbs=get
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings/finalizers,verbs=update
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

controllers/apps/componentdefinition_controller.go

@@ -66,6 +66,9 @@ type ComponentDefinitionReconciler struct {
 // +kubebuilder:rbac:groups=apps.kubeblocks.io,resources=componentdefinitions/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=apps.kubeblocks.io,resources=componentdefinitions/finalizers,verbs=update
 
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles/finalizers,verbs=update
+
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
 //

deploy/helm/config/rbac/role.yaml

@@ -486,12 +486,6 @@ rules:
   - serviceaccounts/finalizers
   verbs:
   - update
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts/status
-  verbs:
-  - get
 - apiGroups:
   - ""
   resources:
@@ -937,7 +931,7 @@ rules:
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
-  - rolebindings
+  - clusterroles
   verbs:
   - create
   - delete
@@ -949,15 +943,27 @@ rules:
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
-  - rolebindings/finalizers
+  - clusterroles/finalizers
   verbs:
   - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
-  - rolebindings/status
+  - rolebindings
   verbs:
+  - create
+  - delete
   - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings/finalizers
+  verbs:
+  - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
@@ -976,12 +982,6 @@ rules:
   - roles/finalizers
   verbs:
   - update
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - roles/status
-  verbs:
-  - get
 - apiGroups:
   - snapshot.storage.k8s.io
   resources:

deploy/helm/templates/rbac/rbac_manager_role.yaml

@@ -7,74 +7,109 @@ metadata:
     {{- include "kubeblocks.labels" . | nindent 4 }}
 rules:
 - apiGroups:
-  - ""
+    - ""
   resources:
-  - serviceaccounts
+    - serviceaccounts
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
+    - create
+    - delete
+    - get
+    - list
+    - watch
+    - patch
+    - update
 - apiGroups:
-  - ""
+    - ""
   resources:
-  - serviceaccounts/finalizers
+    - serviceaccounts/finalizers
   verbs:
-  - update
+    - update
 - apiGroups:
-  - ""
+    - ""
   resources:
-  - serviceaccounts/status
+    - serviceaccounts/status
   verbs:
-  - get
-  - patch
-  - update
+    - get
+    - patch
+    - update
 - apiGroups:
-  - rbac.authorization.k8s.io
+    - rbac.authorization.k8s.io
   resources:
-  - rolebindings
+    - roles
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
+    - create
+    - delete
+    - get
+    - list
+    - watch
+    - patch
+    - update
 - apiGroups:
-  - rbac.authorization.k8s.io
+    - rbac.authorization.k8s.io
   resources:
-  - roles
+    - roles/finalizers
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
+    - update
 - apiGroups:
-  - rbac.authorization.k8s.io
+    - rbac.authorization.k8s.io
   resources:
-  - roles/status
+    - roles/status
   verbs:
-  - get
-  - patch
-  - update
+    - get
+    - patch
+    - update
 - apiGroups:
-  - rbac.authorization.k8s.io
+    - rbac.authorization.k8s.io
   resources:
-  - rolebindings/finalizers
+    - rolebindings
   verbs:
-  - update
+    - create
+    - delete
+    - get
+    - list
+    - watch
+    - patch
+    - update
 - apiGroups:
-  - rbac.authorization.k8s.io
+    - rbac.authorization.k8s.io
   resources:
-  - rolebindings/status
+    - rolebindings/finalizers
   verbs:
-  - get
-  - patch
-  - update
+    - update
+- apiGroups:
+    - rbac.authorization.k8s.io
+  resources:
+    - rolebindings/status
+  verbs:
+    - get
+    - patch
+    - update
+- apiGroups:
+    - rbac.authorization.k8s.io
+  resources:
+    - clusterroles
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - watch
+    - patch
+    - update
+- apiGroups:
+    - rbac.authorization.k8s.io
+  resources:
+    - clusterroles/finalizers
+  verbs:
+    - update
+- apiGroups:
+    - rbac.authorization.k8s.io
+  resources:
+    - clusterroles/status
+  verbs:
+    - get
+    - patch
+    - update
 - apiGroups:
     - rbac.authorization.k8s.io
   resources:
@@ -84,6 +119,7 @@ rules:
     - delete
     - get
     - list
+    - watch
     - patch
     - update
 - apiGroups:

deploy/helm/values.yaml

@@ -62,11 +62,16 @@ fullnameOverride: ""
 ##
 ##   groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;watch;create;update;patch;delete
 ##   groups=rbac.authorization.k8s.io,resources=roles/status,verbs=get;update;patch
+##   groups=rbac.authorization.k8s.io,resources=roles/finalizers,verbs=update
 ##
 ##   groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
 ##   groups=rbac.authorization.k8s.io,resources=rolebindings/status,verbs=get;update;patch
 ##   groups=rbac.authorization.k8s.io,resources=rolebindings/finalizers,verbs=update
 ##
+##   groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete
+##   groups=rbac.authorization.k8s.io,resources=clusterroles/status,verbs=get;update;patch
+##   groups=rbac.authorization.k8s.io,resources=clusterroles/finalizers,verbs=update
+##
 ##   groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
 ##   groups=rbac.authorization.k8s.io,resources=clusterrolebindings/status,verbs=get;update;patch
 ##   groups=rbac.authorization.k8s.io,resources=clusterrolebindings/finalizers,verbs=update