Handling Identical Kubebuilder Annotations in Different CRs with * Verbs

[OdedViner]

When there are two identical Kubebuilder annotations (same API groups) in different Custom Resource (CR) files, and one of them uses the verb *, we need to account for a condition where the verb is *, but not * combined with specific verbs like list, update, etc.

For example:

// controllers/storagecluster/reconcile.go
// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=*
func (r *StorageClusterReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {}

// controllers/storagerequest/storagerequest_controller.go
// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=get;list;watch;create;update;patch;delete
func (r *StorageRequestReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {}

In the RBAC role configuration:

# config/rbac/role.yaml
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - '*'
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch

The role definition currently allows both * and specific verbs such as create, delete, and list. The issue arises from the fact that * includes all verbs, making the additional specific verbs redundant. We should add a condition to avoid this overlap.

Reference: ocs-operator role.yaml