kubernetes-sigs
Handling Identical Kubebuilder Annotations in Different CRs with * Verbs
When there are two identical Kubebuilder annotations (same API groups) in different Custom Resource (CR) files, and one of them uses the verb *, we need to account for a condition where the verb is *, but not * combined with specific verbs like list, update, etc.
For example:
// controllers/storagecluster/reconcile.go
// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=*
func (r *StorageClusterReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {}
// controllers/storagerequest/storagerequest_controller.go
// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=get;list;watch;create;update;patch;delete
func (r *StorageRequestReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {}
In the RBAC role configuration:
# config/rbac/role.yaml
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- '*'
- create
- delete
- get
- list
- patch
- update
- watch
The role definition currently allows both * and specific verbs such as create, delete, and list. The issue arises from the fact that * includes all verbs, making the additional specific verbs redundant. We should add a condition to avoid this overlap.
Reference: ocs-operator role.yaml
Makes sense, feel free to open a PR
(cc @chrischdi just fyi)
https://github.com/kubernetes-sigs/controller-tools/pull/1081
@chrischdi: Closing this issue.
In response to this:
Was fixed in
#1081
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
