Skip to content

Commit 0b0b396

Browse files
cw-Guocw-Guo
committed
fix missing rbac roles
Signed-off-by: Chengwei Guo <chengweiguo@bytedance.com>
1 parent 0de64fa commit 0b0b396

7 files changed

Lines changed: 104 additions & 77 deletions

File tree

config/rbac/role.yaml

Lines changed: 38 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -7,20 +7,23 @@ rules:
77
- apiGroups:
88
- ""
99
resources:
10-
- events
10+
- configmaps
11+
- pods
1112
verbs:
12-
- list
13-
- watch
13+
- get
1414
- apiGroups:
1515
- ""
1616
resources:
17-
- pods
17+
- secrets
1818
verbs:
19+
- create
1920
- get
21+
- list
22+
- patch
23+
- watch
2024
- apiGroups:
2125
- ""
2226
resources:
23-
- secrets
2427
- serviceaccounts
2528
- services
2629
verbs:
@@ -29,7 +32,6 @@ rules:
2932
- get
3033
- list
3134
- patch
32-
- update
3335
- watch
3436
- apiGroups:
3537
- apps
@@ -42,46 +44,50 @@ rules:
4244
- get
4345
- list
4446
- patch
45-
- update
4647
- watch
4748
- apiGroups:
4849
- fluentbit.fluent.io
4950
resources:
5051
- clusterfilters
52+
- clusterfluentbitconfigs
5153
- clusterinputs
5254
- clustermultilineparsers
5355
- clusteroutputs
5456
- clusterparsers
57+
- filters
58+
- fluentbitconfigs
5559
- multilineparsers
60+
- outputs
5661
- parsers
5762
verbs:
5863
- list
5964
- watch
6065
- apiGroups:
6166
- fluentbit.fluent.io
6267
resources:
63-
- clusterfluentbitconfigs
6468
- collectors
65-
- filters
66-
- fluentbitconfigs
6769
- fluentbits
68-
- inputs
69-
- outputs
7070
verbs:
71-
- create
72-
- delete
7371
- get
7472
- list
75-
- patch
7673
- update
7774
- watch
75+
- apiGroups:
76+
- fluentbit.fluent.io
77+
resources:
78+
- collectors/finalizers
79+
- fluentbits/finalizers
80+
verbs:
81+
- update
7882
- apiGroups:
7983
- fluentd.fluent.io
8084
resources:
8185
- clusterfilters
86+
- clusterfluentdconfigs
8287
- clusterinputs
8388
- clusteroutputs
8489
- filters
90+
- fluentdconfigs
8591
- inputs
8692
- outputs
8793
verbs:
@@ -90,42 +96,47 @@ rules:
9096
- apiGroups:
9197
- fluentd.fluent.io
9298
resources:
93-
- clusterfluentdconfigs
94-
- fluentdconfigs
99+
- clusterfluentdconfigs/status
100+
- fluentdconfigs/status
101+
- fluentds/status
102+
verbs:
103+
- get
104+
- patch
105+
- update
106+
- apiGroups:
107+
- fluentd.fluent.io
108+
resources:
95109
- fluentds
96110
verbs:
97-
- create
98-
- delete
99111
- get
100112
- list
101-
- patch
102113
- update
103114
- watch
104115
- apiGroups:
105116
- fluentd.fluent.io
106117
resources:
107-
- fluentdconfigs/finalizers
108118
- fluentds/finalizers
109119
verbs:
110120
- update
111121
- apiGroups:
112-
- fluentd.fluent.io
122+
- rbac.authorization.k8s.io
113123
resources:
114-
- fluentdconfigs/status
115-
- fluentds/status
124+
- clusterrolebindings
125+
- clusterroles
116126
verbs:
127+
- create
117128
- get
129+
- list
118130
- patch
119-
- update
131+
- watch
120132
- apiGroups:
121133
- rbac.authorization.k8s.io
122134
resources:
123-
- clusterrolebindings
124-
- clusterroles
125135
- rolebindings
126136
- roles
127137
verbs:
128138
- create
139+
- delete
129140
- get
130141
- list
131142
- patch

controllers/collector_controller.go

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -42,11 +42,13 @@ type CollectorReconciler struct {
4242
Scheme *runtime.Scheme
4343
}
4444

45-
// +kubebuilder:rbac:groups=fluentbit.fluent.io,resources=fluentbits;fluentbitconfigs;collectors;inputs;filters;outputs,verbs=get;list;watch;create;update;patch;delete
46-
// +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete
47-
// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete
48-
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=create
49-
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=create
45+
// +kubebuilder:rbac:groups=fluentbit.fluent.io,resources=collectors,verbs=get;list;watch;update
46+
// +kubebuilder:rbac:groups=fluentbit.fluent.io,resources=collectors/finalizers,verbs=update
47+
// +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;patch;delete
48+
// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;create;patch;delete
49+
// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;patch;delete
50+
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=create;get;list;watch;patch
51+
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=create;get;list;watch;patch
5052
// +kubebuilder:rbac:groups=core,resources=pods,verbs=get
5153

5254
// Reconcile is part of the main kubernetes reconciliation loop which aims to

controllers/fluentbit_controller.go

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -46,16 +46,16 @@ type FluentBitReconciler struct {
4646
Namespaced bool
4747
}
4848

49-
// +kubebuilder:rbac:groups=fluentbit.fluent.io,resources=fluentbits;fluentbitconfigs;inputs;filters;outputs,verbs=get;list;watch;create;update;patch;delete
50-
// +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;create;update;patch;delete
51-
// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete
52-
// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
53-
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=create;list;get;watch;patch
54-
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=create;list;get;watch;patch
55-
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=create;list;get;watch;patch
56-
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=create;list;get;watch;patch
49+
// +kubebuilder:rbac:groups=fluentbit.fluent.io,resources=fluentbits,verbs=get;list;watch;update
50+
// +kubebuilder:rbac:groups=fluentbit.fluent.io,resources=fluentbits/finalizers,verbs=update
51+
// +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;create;patch;delete
52+
// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;watch;create;patch;delete
53+
// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;patch;delete
54+
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=create;get;list;watch;patch
55+
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=create;get;list;watch;patch
56+
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=create;delete;get;list;watch;patch
57+
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=create;delete;get;list;watch;patch
5758
// +kubebuilder:rbac:groups=core,resources=pods,verbs=get
58-
// +kubebuilder:rbac:groups=core,resources=events,verbs=list;watch
5959

6060
// Reconcile is part of the main kubernetes reconciliation loop which aims to
6161
// move the current state of the cluster closer to the desired state.

controllers/fluentbitconfig_controller.go

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -166,11 +166,12 @@ func (r *FluentBitConfigReconciler) updateSecretIfNeeded(
166166
return nil
167167
}
168168

169-
// +kubebuilder:rbac:groups=fluentbit.fluent.io,resources=clusterfluentbitconfigs,verbs=get;list;watch;create;update;patch;delete
170-
// +kubebuilder:rbac:groups=fluentbit.fluent.io,resources=fluentbitconfigs,verbs=get;list;watch;create;update;patch;delete
169+
// +kubebuilder:rbac:groups=fluentbit.fluent.io,resources=clusterfluentbitconfigs,verbs=list;watch
170+
// +kubebuilder:rbac:groups=fluentbit.fluent.io,resources=fluentbitconfigs,verbs=list;watch
171171
// +kubebuilder:rbac:groups=fluentbit.fluent.io,resources=clusterinputs;clusterfilters;clusteroutputs;clusterparsers;clustermultilineparsers,verbs=list;watch
172172
// +kubebuilder:rbac:groups=fluentbit.fluent.io,resources=filters;outputs;parsers;multilineparsers,verbs=list;watch
173-
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
173+
// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get
174+
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;patch
174175

175176
// Reconcile is part of the main kubernetes reconciliation loop which aims to
176177
// move the current state of the cluster closer to the desired state.

controllers/fluentd_controller.go

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,9 +47,13 @@ type FluentdReconciler struct {
4747
Scheme *runtime.Scheme
4848
}
4949

50-
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=fluentds,verbs=get;list;watch;create;update;patch;delete
50+
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=fluentds,verbs=get;list;watch;update
5151
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=fluentds/status,verbs=get;update;patch
5252
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=fluentds/finalizers,verbs=update
53+
// +kubebuilder:rbac:groups=apps,resources=daemonsets;statefulsets,verbs=get;list;watch;create;patch;delete
54+
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get
55+
// +kubebuilder:rbac:groups=core,resources=serviceaccounts;services,verbs=get;list;watch;create;patch;delete
56+
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings,verbs=create;get;list;watch;patch
5357

5458
// Reconcile is part of the main kubernetes reconciliation loop which aims to
5559
// move the current state of the cluster closer to the desired state.

controllers/fluentdconfig_controller.go

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -82,14 +82,12 @@ type FluentdConfigReconciler struct {
8282
Scheme *runtime.Scheme
8383
}
8484

85-
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=fluentdconfigs,verbs=get;list;watch;create;update;patch;delete
86-
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=clusterfluentdconfigs,verbs=get;list;watch;create;update;patch;delete
85+
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=fluentdconfigs,verbs=list;watch
86+
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=clusterfluentdconfigs,verbs=list;watch
8787
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=inputs;filters;outputs,verbs=list;watch
8888
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=clusterinputs;clusterfilters;clusteroutputs,verbs=list;watch
8989
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=fluentds,verbs=list
90-
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=fluentds/status,verbs=patch
91-
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=fluentdconfigs/status,verbs=get;update;patch
92-
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=fluentdconfigs/finalizers,verbs=update
90+
// +kubebuilder:rbac:groups=fluentd.fluent.io,resources=clusterfluentdconfigs/status;fluentdconfigs/status;fluentds/status,verbs=get;update;patch
9391

9492
// Reconcile is part of the main kubernetes reconciliation loop which aims to
9593
// move the current state of the cluster closer to the desired state.

0 commit comments

Comments
 (0)