diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 262c94c7..3148e5cb 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -11,6 +11,8 @@ rules: verbs: - get - list + - patch + - update - watch - apiGroups: - openstack.k-orc.cloud diff --git a/internal/scope/provider.go b/internal/scope/provider.go index 5030195e..7620a18e 100644 --- a/internal/scope/provider.go +++ b/internal/scope/provider.go @@ -239,8 +239,6 @@ func (g gophercloudLogger) Printf(format string, args ...interface{}) { g.logger.Info(fmt.Sprintf(format, args...)) } -// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch - // getCloudFromSecret extract a Cloud from the given namespace:secretName. func getCloudFromSecret(ctx context.Context, ctrlClient client.Client, secretNamespace string, secretName string, cloudName string) (clientconfig.Cloud, []byte, error) { emptyCloud := clientconfig.Cloud{} diff --git a/internal/util/credentials/dependency.go b/internal/util/credentials/dependency.go index 1b301d89..c16a7df6 100644 --- a/internal/util/credentials/dependency.go +++ b/internal/util/credentials/dependency.go @@ -26,6 +26,24 @@ import ( "github.com/k-orc/openstack-resource-controller/internal/util/dependency" ) +/* + NOTE: These are cluster-wide permissions on secrets, which is not ideal. + + On the update privilege: we only need this for adding finalizers. Although + the OwnerReferencesPermissionEnforcement + (https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement) + may make it look like there is, there is no real finalizers subresource, so + we can't confine this to the ability to write the finalizer. + + I (mdbooth) suspect that the future may bring new capabilities, either in + kube or its supporting ecosystem, which may allow us to reduce these + privileges in the future. We should periodically take some time to find out + if that has happened yet. +*/ + +// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch +// +kubebuilder:rbac:groups="",resources=secrets,verbs=update;patch + func AddCredentialsWatch[ objectTP dependency.ObjectType[objectT], objectListTP dependency.ObjectListType[objectListT, objectT],