Merge pull request #24 from appuio/fix/apiserver-rbac

Add missing RBAC permissions to the apiserver role
appuio · Jan 28, 2022 · d0458e7 · d0458e7
2 parents 9401159 + e5822f4
commit d0458e7
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 0 deletions.
diff --git a/apiserver/organization/members.go b/apiserver/organization/members.go
@@ -7,6 +7,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+// +kubebuilder:rbac:groups="appuio.io",resources=organizationmembers,verbs=get;list;watch;create;delete;patch;update;edit
+
 // memberProvider is an abstraction for interacting with the OrganizationMembers Object
 //go:generate go run github.com/golang/mock/mockgen -source=$GOFILE -destination=./mock/$GOFILE
 type memberProvider interface {

diff --git a/apiserver/organization/rolebindings.go b/apiserver/organization/rolebindings.go
@@ -11,6 +11,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;delete;patch;update;edit
+
+// Needed so that we are allowed to delegate the default clusterroles
+// +kubebuilder:rbac:groups="rbac.appuio.io",resources=organizations,verbs=get;list;watch;create;delete;patch;update;edit
+// +kubebuilder:rbac:groups="organization.appuio.io",resources=organizations,verbs=get;list;watch;create;delete;patch;update;edit
+
 //go:generate go run github.com/golang/mock/mockgen -source=$GOFILE -destination=./mock/$GOFILE
 type roleBindingCreator interface {
 	CreateRoleBindings(ctx context.Context, namespace string) error

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -36,6 +36,19 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - appuio.io
+  resources:
+  - organizationmembers
+  verbs:
+  - create
+  - delete
+  - edit
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:
@@ -54,3 +67,42 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - organization.appuio.io
+  resources:
+  - organizations
+  verbs:
+  - create
+  - delete
+  - edit
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rbac.appuio.io
+  resources:
+  - organizations
+  verbs:
+  - create
+  - delete
+  - edit
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - create
+  - delete
+  - edit
+  - get
+  - list
+  - patch
+  - update
+  - watch