controller-tools icon indicating copy to clipboard operation
controller-tools copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Role and Clusterrole binding are not generated correctly

Open RealAnna opened this issue 2 years ago • 1 comments

CONTROLLER_TOOLS_VERSION=v0.10.0

command: controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases

What I did: My controller needs to access both a cluster resource and a namespaced one so I use both annotations to autogenerate rbac rules.

What happened: When annotating the controller with both namespaced and cluster rbac rules both roles are created but, only one binding.

What I would expect: Both bindings for the clusterrole and the role are generated

How To Reproduce:

  1. In a kubebuilder PROJECT annotate a controller with
//clusterrole
// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=get;list;watch;update;

//role
// +kubebuilder:rbac:groups="",namespace=mynamespace,resources=secrets,verbs=get;list;watch;create;update;patch;delete

  1. Run make manifests or controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases

  2. Observe that the role.yaml file has both ClusterRole and Role correctly generated

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: manager-role
rules:
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  verbs:
  - get
  - list
  - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: manager-role
  namespace: mynamespace
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
  1. Check that role_binding.yaml has only the ClusterRole bindings
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
  name: manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manager-role
subjects:
- kind: ServiceAccount
  name: cert-manager
  namespace: system

Temporary fix I could manually add the other binding and list it in the kustomization.yaml, but I would expect the tool to generate both in the role_binding.yaml

RealAnna avatar Jan 12 '23 09:01 RealAnna

If you try to move forward to use Roles instead of ClusterRole then it does not properly without manually changes. More info: https://sdk.operatorframework.io/docs/building-operators/golang/operator-scope/#changing-the-permissions-to-namespaced

However, would be great if we could change controller-gen to do this. Please, feel free to contribute with this one and push a pull request to address this need.

camilamacedo86 avatar Jan 31 '23 09:01 camilamacedo86