From aa1856aa04b8baabc1f21ab307772c227ada9977 Mon Sep 17 00:00:00 2001 From: raffaelespazzoli Date: Thu, 28 Jul 2022 07:45:57 -0400 Subject: [PATCH 1/2] fix #30 Signed-off-by: raffaelespazzoli --- readme.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/readme.md b/readme.md index 3ef62b3..ebc3224 100644 --- a/readme.md +++ b/readme.md @@ -18,6 +18,9 @@ The patch operator helps with defining patches in a declarative way. This operat - [Creation-time patch injection](#creation-time-patch-injection) - [Security Considerations](#security-considerations) - [Installing the creation time webhook](#installing-the-creation-time-webhook) + - [Enabling creation time time webhook (OLM)](#enabling-creation-time-time-webhook-olm) + - [Enabling creation time time webhook (Helm)](#enabling-creation-time-time-webhook-helm) + - [Webhook rules](#webhook-rules) - [Runtime patch enforcement](#runtime-patch-enforcement) - [Patch Controller Security Considerations](#patch-controller-security-considerations) - [Patch Controller Performance Considerations](#patch-controller-performance-considerations) @@ -188,9 +191,7 @@ spec: targetObjectRef: apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration - labelSelector: - matchLabels: - redhat-cop.redhat.io/patch-operator: "true" + name: patch-operator-inject patchTemplate: '[{"op": "replace", "path": "/webhooks/0/clientConfig/caBundle", "value":"{{ (index (index . 1).data "olmCAKey") }}"}]' patchType: application/json-patch+json sourceObjectRefs: @@ -210,8 +211,6 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: patch-operator-inject - labels: - redhat-cop.redhat.io/patch-operator: "true" webhooks: - admissionReviewVersions: - v1 From 8a0a3b493ed68e3cff5da4ae0632c713d33c7b21 Mon Sep 17 00:00:00 2001 From: raffaelespazzoli Date: Thu, 28 Jul 2022 07:52:04 -0400 Subject: [PATCH 2/2] fix #38 Signed-off-by: raffaelespazzoli --- config/rbac/role.yaml | 6 ++++++ controllers/customresourcedefinition_controller.go | 1 - controllers/patch_controller.go | 4 +++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 7f9b800..084bf4c 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -49,6 +49,12 @@ rules: - get - list - watch +- apiGroups: + - authentication.k8s.io + resources: + - '*' + verbs: + - impersonate - apiGroups: - redhatcop.redhat.io resources: diff --git a/controllers/customresourcedefinition_controller.go b/controllers/customresourcedefinition_controller.go index 9759498..6056fc1 100644 --- a/controllers/customresourcedefinition_controller.go +++ b/controllers/customresourcedefinition_controller.go @@ -69,7 +69,6 @@ func (r *CustomResourceDefinitionReconciler) setModels(openapiModels openapi.Mod } //+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch -//+kubebuilder:rbac:groups="",resources=users;groups;serviceaccounts,verbs=impersonate // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/patch_controller.go b/controllers/patch_controller.go index 000800e..913b4d4 100644 --- a/controllers/patch_controller.go +++ b/controllers/patch_controller.go @@ -49,8 +49,10 @@ type PatchReconciler struct { //+kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;create;patch //+kubebuilder:rbac:groups="",resources=serviceaccounts;secrets,verbs=get;list;watch -// needed by the pacth webhook +// needed by the patch webhook //+kubebuilder:rbac:groups="*",resources="*",verbs=get;list;watch +//+kubebuilder:rbac:groups="",resources=users;groups;serviceaccounts,verbs=impersonate +//+kubebuilder:rbac:groups="authentication.k8s.io",resources=*,verbs=impersonate // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state.