diff --git a/bundle/manifests/numaresources-operator.clusterserviceversion.yaml b/bundle/manifests/numaresources-operator.clusterserviceversion.yaml index 383b2b89de..d5e13e55fc 100644 --- a/bundle/manifests/numaresources-operator.clusterserviceversion.yaml +++ b/bundle/manifests/numaresources-operator.clusterserviceversion.yaml @@ -66,7 +66,7 @@ metadata: } ] capabilities: Basic Install - createdAt: "2026-05-13T12:16:00Z" + createdAt: "2026-05-27T16:22:04Z" features.operators.openshift.io/cnf: "true" features.operators.openshift.io/cni: "false" features.operators.openshift.io/csi: "false" @@ -378,9 +378,13 @@ spec: - "" resources: - configmaps - - serviceaccounts verbs: - - '*' + - create + - delete + - get + - list + - update + - watch - apiGroups: - "" resources: @@ -403,19 +407,47 @@ spec: - get - list - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - update + - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - - '*' + - create + - get + - list + - update + - watch - apiGroups: - apps resources: - daemonsets + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - apps + resources: - deployments verbs: - - '*' + - create + - get + - list + - update + - watch - apiGroups: - config.openshift.io resources: @@ -457,7 +489,12 @@ spec: resources: - machineconfigs verbs: - - '*' + - create + - delete + - get + - list + - update + - watch - apiGroups: - nodetopology.openshift.io resources: @@ -491,22 +528,21 @@ spec: - rolebindings - roles verbs: - - '*' + - create + - get + - list + - update + - watch - apiGroups: - security.openshift.io resources: - securitycontextconstraints verbs: - - '*' - - apiGroups: - - topology.node.k8s.io - resources: - - noderesourcetopologies - verbs: - create - get - list - update + - watch serviceAccountName: numaresources-controller-manager deployments: - label: @@ -647,13 +683,17 @@ spec: resources: - services verbs: - - '*' + - create + - get + - update - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - - '*' + - create + - get + - update serviceAccountName: numaresources-controller-manager strategy: deployment installModes: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index b18c4080c2..656c21f7d9 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -8,9 +8,13 @@ rules: - "" resources: - configmaps - - serviceaccounts verbs: - - '*' + - create + - delete + - get + - list + - update + - watch - apiGroups: - "" resources: @@ -33,19 +37,47 @@ rules: - get - list - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - update + - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - - '*' + - create + - get + - list + - update + - watch - apiGroups: - apps resources: - daemonsets + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - apps + resources: - deployments verbs: - - '*' + - create + - get + - list + - update + - watch - apiGroups: - config.openshift.io resources: @@ -87,7 +119,12 @@ rules: resources: - machineconfigs verbs: - - '*' + - create + - delete + - get + - list + - update + - watch - apiGroups: - nodetopology.openshift.io resources: @@ -121,22 +158,21 @@ rules: - rolebindings - roles verbs: - - '*' + - create + - get + - list + - update + - watch - apiGroups: - security.openshift.io resources: - securitycontextconstraints verbs: - - '*' -- apiGroups: - - topology.node.k8s.io - resources: - - noderesourcetopologies - verbs: - create - get - list - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -149,10 +185,14 @@ rules: resources: - services verbs: - - '*' + - create + - get + - update - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - - '*' + - create + - get + - update diff --git a/internal/controller/kubeletconfig_controller.go b/internal/controller/kubeletconfig_controller.go index d97c2e8860..91506881ce 100644 --- a/internal/controller/kubeletconfig_controller.go +++ b/internal/controller/kubeletconfig_controller.go @@ -90,7 +90,7 @@ type kubeletConfigHandler struct { // Namespace Scoped // Cluster Scoped -//+kubebuilder:rbac:groups="",resources=configmaps,verbs=* +//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;create;update;delete;list;watch //+kubebuilder:rbac:groups="",resources=events,verbs=create;patch //+kubebuilder:rbac:groups=machineconfiguration.openshift.io,resources=kubeletconfigs,verbs=get;list;watch //+kubebuilder:rbac:groups=machineconfiguration.openshift.io,resources=kubeletconfigs/finalizers,verbs=update diff --git a/internal/controller/numaresourcesoperator_controller.go b/internal/controller/numaresourcesoperator_controller.go index ccf3e2c60b..8ddff59295 100644 --- a/internal/controller/numaresourcesoperator_controller.go +++ b/internal/controller/numaresourcesoperator_controller.go @@ -100,24 +100,24 @@ type NUMAResourcesOperatorReconciler struct { } // Namespace Scoped -//+kubebuilder:rbac:groups="",resources=services,verbs=*,namespace="numaresources" -//+kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=*,namespace="numaresources" +//+kubebuilder:rbac:groups="",resources=services,verbs=get;create;update,namespace="numaresources" +//+kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=get;create;update,namespace="numaresources" // Cluster Scoped //+kubebuilder:rbac:groups=config.openshift.io,resources=apiservers,verbs=get;list;watch //+kubebuilder:rbac:groups=config.openshift.io,resources=clusterversions,verbs=list //+kubebuilder:rbac:groups=config.openshift.io,resources=clusteroperators,verbs=get //+kubebuilder:rbac:groups=config.openshift.io,resources=infrastructures,verbs=get -//+kubebuilder:rbac:groups=machineconfiguration.openshift.io,resources=machineconfigs,verbs=* +//+kubebuilder:rbac:groups=machineconfiguration.openshift.io,resources=machineconfigs,verbs=get;create;update;delete;list;watch //+kubebuilder:rbac:groups=machineconfiguration.openshift.io,resources=machineconfigpools,verbs=get;list;watch -//+kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,verbs=* -//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=* -//+kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=* -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=* -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=* -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=* -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=* -//+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=* +//+kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,verbs=get;create;update;list;watch +//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;create;update;list;watch +//+kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;create;update;delete;list;watch +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;create;update;list;watch +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;create;update;list;watch +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;create;update +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;create;update +//+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;create;update;list;watch //+kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch //+kubebuilder:rbac:groups="",resources=nodes,verbs=list //+kubebuilder:rbac:groups=nodetopology.openshift.io,resources=numaresourcesoperators,verbs=get;list;watch diff --git a/internal/controller/numaresourcesscheduler_controller.go b/internal/controller/numaresourcesscheduler_controller.go index 56e352b161..efadefb5b4 100644 --- a/internal/controller/numaresourcesscheduler_controller.go +++ b/internal/controller/numaresourcesscheduler_controller.go @@ -78,14 +78,14 @@ type NUMAResourcesSchedulerReconciler struct { } // Namespace Scoped -//+kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=*,namespace="numaresources" +//+kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=get;create;update,namespace="numaresources" // Cluster Scoped -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=* -//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=* -//+kubebuilder:rbac:groups=apps,resources=deployments,verbs=* -//+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=* -//+kubebuilder:rbac:groups="",resources=configmaps,verbs=* +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;create;update;list;watch +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;create;update;list;watch +//+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;create;update;list;watch +//+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;create;update;list;watch +//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;create;update;list;watch //+kubebuilder:rbac:groups="",resources=nodes,verbs=list;watch //+kubebuilder:rbac:groups=nodetopology.openshift.io,resources=numaresourcesschedulers,verbs=get;list;watch //+kubebuilder:rbac:groups=nodetopology.openshift.io,resources=numaresourcesschedulers/status,verbs=get;update;patch diff --git a/rte/main.go b/rte/main.go index f01da8acc8..d3528e38f2 100644 --- a/rte/main.go +++ b/rte/main.go @@ -48,11 +48,6 @@ const ( defaultTopologyManagerScope = "container" ) -// Namespace Scoped - -// Cluster Scoped -//+kubebuilder:rbac:groups=topology.node.k8s.io,resources=noderesourcetopologies,verbs=get;list;create;update - func main() { bi := version.GetBuildInfo() klog.Infof("starting %s %s %s\n", version.ExporterProgramName(), bi.String(), runtime.Version())