From 0a90e13beb00259992dbde19d65d0783bca22445 Mon Sep 17 00:00:00 2001 From: Dan Prince Date: Mon, 18 Aug 2025 08:51:18 -0400 Subject: [PATCH] Remove proxy-rolebindings from all operator RBAC configurations Removes the ClusterRoleBinding resources for proxy roles across all OpenStack operators in the bindata RBAC templates. This cleanup removes unnecessary proxy role bindings that are no longer needed. Jira: OSPRH-19169 Co-Authored-By: Claude --- bindata/rbac/barbican-operator-rbac.yaml | 13 --------- bindata/rbac/cinder-operator-rbac.yaml | 13 --------- bindata/rbac/designate-operator-rbac.yaml | 13 --------- bindata/rbac/glance-operator-rbac.yaml | 13 --------- bindata/rbac/heat-operator-rbac.yaml | 13 --------- bindata/rbac/horizon-operator-rbac.yaml | 13 --------- bindata/rbac/infra-operator-rbac.yaml | 13 --------- bindata/rbac/ironic-operator-rbac.yaml | 13 --------- bindata/rbac/keystone-operator-rbac.yaml | 13 --------- bindata/rbac/manila-operator-rbac.yaml | 13 --------- bindata/rbac/mariadb-operator-rbac.yaml | 13 --------- bindata/rbac/neutron-operator-rbac.yaml | 13 --------- bindata/rbac/nova-operator-rbac.yaml | 13 --------- bindata/rbac/octavia-operator-rbac.yaml | 13 --------- .../openstack-baremetal-operator-rbac.yaml | 13 --------- bindata/rbac/ovn-operator-rbac.yaml | 13 --------- bindata/rbac/placement-operator-rbac.yaml | 13 --------- .../rbac/rabbitmq-cluster-operator-rbac.yaml | 13 --------- bindata/rbac/swift-operator-rbac.yaml | 13 --------- bindata/rbac/telemetry-operator-rbac.yaml | 13 --------- bindata/rbac/test-operator-rbac.yaml | 13 --------- bindata/rbac/watcher-operator-rbac.yaml | 13 --------- controllers/operator/openstack_controller.go | 28 +++++++++++++++++++ hack/sync-bindata.sh | 13 --------- 24 files changed, 28 insertions(+), 299 deletions(-) diff --git a/bindata/rbac/barbican-operator-rbac.yaml b/bindata/rbac/barbican-operator-rbac.yaml index 4143bb878b..0cd0680572 100644 --- a/bindata/rbac/barbican-operator-rbac.yaml +++ b/bindata/rbac/barbican-operator-rbac.yaml @@ -402,19 +402,6 @@ subjects: name: barbican-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: barbican-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: barbican-operator-proxy-role -subjects: -- kind: ServiceAccount - name: barbican-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/cinder-operator-rbac.yaml b/bindata/rbac/cinder-operator-rbac.yaml index 9540937efd..e2db8f0750 100644 --- a/bindata/rbac/cinder-operator-rbac.yaml +++ b/bindata/rbac/cinder-operator-rbac.yaml @@ -446,19 +446,6 @@ subjects: name: cinder-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cinder-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cinder-operator-proxy-role -subjects: -- kind: ServiceAccount - name: cinder-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/designate-operator-rbac.yaml b/bindata/rbac/designate-operator-rbac.yaml index 0151cc3ac2..0f671638f3 100644 --- a/bindata/rbac/designate-operator-rbac.yaml +++ b/bindata/rbac/designate-operator-rbac.yaml @@ -555,19 +555,6 @@ subjects: name: designate-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: designate-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: designate-operator-proxy-role -subjects: -- kind: ServiceAccount - name: designate-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/glance-operator-rbac.yaml b/bindata/rbac/glance-operator-rbac.yaml index 67f6a1e57a..80199ca2b8 100644 --- a/bindata/rbac/glance-operator-rbac.yaml +++ b/bindata/rbac/glance-operator-rbac.yaml @@ -393,19 +393,6 @@ subjects: name: glance-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: glance-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: glance-operator-proxy-role -subjects: -- kind: ServiceAccount - name: glance-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/heat-operator-rbac.yaml b/bindata/rbac/heat-operator-rbac.yaml index dabb74f067..dca715c230 100644 --- a/bindata/rbac/heat-operator-rbac.yaml +++ b/bindata/rbac/heat-operator-rbac.yaml @@ -403,19 +403,6 @@ subjects: name: heat-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: heat-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: heat-operator-proxy-role -subjects: -- kind: ServiceAccount - name: heat-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/horizon-operator-rbac.yaml b/bindata/rbac/horizon-operator-rbac.yaml index fbb603dacf..799371206e 100644 --- a/bindata/rbac/horizon-operator-rbac.yaml +++ b/bindata/rbac/horizon-operator-rbac.yaml @@ -275,19 +275,6 @@ subjects: name: horizon-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: horizon-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: horizon-operator-proxy-role -subjects: -- kind: ServiceAccount - name: horizon-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/infra-operator-rbac.yaml b/bindata/rbac/infra-operator-rbac.yaml index db00144ddb..60e59539d4 100644 --- a/bindata/rbac/infra-operator-rbac.yaml +++ b/bindata/rbac/infra-operator-rbac.yaml @@ -576,19 +576,6 @@ subjects: name: infra-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: infra-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: infra-operator-proxy-role -subjects: -- kind: ServiceAccount - name: infra-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/ironic-operator-rbac.yaml b/bindata/rbac/ironic-operator-rbac.yaml index d58529bf83..131b1a0153 100644 --- a/bindata/rbac/ironic-operator-rbac.yaml +++ b/bindata/rbac/ironic-operator-rbac.yaml @@ -481,19 +481,6 @@ subjects: name: ironic-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ironic-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ironic-operator-proxy-role -subjects: -- kind: ServiceAccount - name: ironic-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/keystone-operator-rbac.yaml b/bindata/rbac/keystone-operator-rbac.yaml index b8ac001509..c4c5be8b0f 100644 --- a/bindata/rbac/keystone-operator-rbac.yaml +++ b/bindata/rbac/keystone-operator-rbac.yaml @@ -385,19 +385,6 @@ subjects: name: keystone-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: keystone-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: keystone-operator-proxy-role -subjects: -- kind: ServiceAccount - name: keystone-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/manila-operator-rbac.yaml b/bindata/rbac/manila-operator-rbac.yaml index 14a7aa8a80..d1c5b8f070 100644 --- a/bindata/rbac/manila-operator-rbac.yaml +++ b/bindata/rbac/manila-operator-rbac.yaml @@ -438,19 +438,6 @@ subjects: name: manila-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manila-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manila-operator-proxy-role -subjects: -- kind: ServiceAccount - name: manila-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/mariadb-operator-rbac.yaml b/bindata/rbac/mariadb-operator-rbac.yaml index 61c3d14f04..75cdb48645 100644 --- a/bindata/rbac/mariadb-operator-rbac.yaml +++ b/bindata/rbac/mariadb-operator-rbac.yaml @@ -344,19 +344,6 @@ subjects: name: mariadb-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: mariadb-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: mariadb-operator-proxy-role -subjects: -- kind: ServiceAccount - name: mariadb-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/neutron-operator-rbac.yaml b/bindata/rbac/neutron-operator-rbac.yaml index 78c4668fd5..c81e363b79 100644 --- a/bindata/rbac/neutron-operator-rbac.yaml +++ b/bindata/rbac/neutron-operator-rbac.yaml @@ -333,19 +333,6 @@ subjects: name: neutron-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: neutron-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: neutron-operator-proxy-role -subjects: -- kind: ServiceAccount - name: neutron-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/nova-operator-rbac.yaml b/bindata/rbac/nova-operator-rbac.yaml index a4e625a9bb..0fe3a2f32b 100644 --- a/bindata/rbac/nova-operator-rbac.yaml +++ b/bindata/rbac/nova-operator-rbac.yaml @@ -554,19 +554,6 @@ subjects: name: nova-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: nova-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nova-operator-proxy-role -subjects: -- kind: ServiceAccount - name: nova-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/octavia-operator-rbac.yaml b/bindata/rbac/octavia-operator-rbac.yaml index 6c2ca42139..96b30c443c 100644 --- a/bindata/rbac/octavia-operator-rbac.yaml +++ b/bindata/rbac/octavia-operator-rbac.yaml @@ -470,19 +470,6 @@ subjects: name: octavia-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: octavia-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: octavia-operator-proxy-role -subjects: -- kind: ServiceAccount - name: octavia-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/openstack-baremetal-operator-rbac.yaml b/bindata/rbac/openstack-baremetal-operator-rbac.yaml index 4bb850a059..6734fb14bc 100644 --- a/bindata/rbac/openstack-baremetal-operator-rbac.yaml +++ b/bindata/rbac/openstack-baremetal-operator-rbac.yaml @@ -331,19 +331,6 @@ subjects: name: openstack-baremetal-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: openstack-baremetal-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: openstack-baremetal-operator-proxy-role -subjects: -- kind: ServiceAccount - name: openstack-baremetal-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/ovn-operator-rbac.yaml b/bindata/rbac/ovn-operator-rbac.yaml index e823b58501..556725a605 100644 --- a/bindata/rbac/ovn-operator-rbac.yaml +++ b/bindata/rbac/ovn-operator-rbac.yaml @@ -365,19 +365,6 @@ subjects: name: ovn-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovn-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ovn-operator-proxy-role -subjects: -- kind: ServiceAccount - name: ovn-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/placement-operator-rbac.yaml b/bindata/rbac/placement-operator-rbac.yaml index ffa2eadfa9..d123bfd634 100644 --- a/bindata/rbac/placement-operator-rbac.yaml +++ b/bindata/rbac/placement-operator-rbac.yaml @@ -324,19 +324,6 @@ subjects: name: placement-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: placement-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: placement-operator-proxy-role -subjects: -- kind: ServiceAccount - name: placement-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/rabbitmq-cluster-operator-rbac.yaml b/bindata/rbac/rabbitmq-cluster-operator-rbac.yaml index d52d2a60f7..0741b5a16f 100644 --- a/bindata/rbac/rabbitmq-cluster-operator-rbac.yaml +++ b/bindata/rbac/rabbitmq-cluster-operator-rbac.yaml @@ -200,19 +200,6 @@ subjects: name: rabbitmq-cluster-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: rabbitmq-cluster-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: rabbitmq-cluster-operator-proxy-role -subjects: -- kind: ServiceAccount - name: rabbitmq-cluster-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/swift-operator-rbac.yaml b/bindata/rbac/swift-operator-rbac.yaml index ee1fb209ee..1b1d8b76fb 100644 --- a/bindata/rbac/swift-operator-rbac.yaml +++ b/bindata/rbac/swift-operator-rbac.yaml @@ -447,19 +447,6 @@ subjects: name: swift-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: swift-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: swift-operator-proxy-role -subjects: -- kind: ServiceAccount - name: swift-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/telemetry-operator-rbac.yaml b/bindata/rbac/telemetry-operator-rbac.yaml index f9a85ef325..747fe0978a 100644 --- a/bindata/rbac/telemetry-operator-rbac.yaml +++ b/bindata/rbac/telemetry-operator-rbac.yaml @@ -564,19 +564,6 @@ subjects: name: telemetry-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: telemetry-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: telemetry-operator-proxy-role -subjects: -- kind: ServiceAccount - name: telemetry-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/test-operator-rbac.yaml b/bindata/rbac/test-operator-rbac.yaml index d0c543b5b5..92aa90155f 100644 --- a/bindata/rbac/test-operator-rbac.yaml +++ b/bindata/rbac/test-operator-rbac.yaml @@ -261,19 +261,6 @@ subjects: name: test-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: test-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: test-operator-proxy-role -subjects: -- kind: ServiceAccount - name: test-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/bindata/rbac/watcher-operator-rbac.yaml b/bindata/rbac/watcher-operator-rbac.yaml index f3191f6bea..df3742f905 100644 --- a/bindata/rbac/watcher-operator-rbac.yaml +++ b/bindata/rbac/watcher-operator-rbac.yaml @@ -427,19 +427,6 @@ subjects: name: watcher-operator-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: watcher-operator-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: watcher-operator-proxy-role -subjects: -- kind: ServiceAccount - name: watcher-operator-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: diff --git a/controllers/operator/openstack_controller.go b/controllers/operator/openstack_controller.go index 998b2c1d8e..ae62ca0e10 100644 --- a/controllers/operator/openstack_controller.go +++ b/controllers/operator/openstack_controller.go @@ -45,6 +45,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" discoveryv1 "k8s.io/api/discovery/v1" + rbacv1 "k8s.io/api/rbac/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" uns "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -916,6 +917,33 @@ func (r *OpenStackReconciler) postCleanupObsoleteResources(ctx context.Context, } } + // Cleanup obsolete proxy ClusterRoleBindings for service operators + clusterRoleBindingList := &rbacv1.ClusterRoleBindingList{} + err = r.Client.List(ctx, clusterRoleBindingList) + if err != nil { + return err + } + for _, clusterRoleBinding := range clusterRoleBindingList.Items { + // Check if this is a proxy rolebinding for a service operator + if strings.HasSuffix(clusterRoleBinding.Name, "-operator-proxy-rolebinding") { + // Extract operator name by removing the suffix + operatorName := strings.TrimSuffix(clusterRoleBinding.Name, "-operator-proxy-rolebinding") + if isServiceOperatorResource(operatorName) { + Log.Info("Deleting obsolete proxy ClusterRoleBinding", "name", clusterRoleBinding.Name) + err = r.Client.Delete(ctx, &clusterRoleBinding) + if err != nil { + if apierrors.IsNotFound(err) { + Log.Info("ClusterRoleBinding not found on delete. Continuing...", "name", clusterRoleBinding.Name) + continue + } + return err + } + Log.Info("ClusterRoleBinding deleted successfully", "name", clusterRoleBinding.Name) + break + } + } + } + return nil } diff --git a/hack/sync-bindata.sh b/hack/sync-bindata.sh index b2de0372a2..422a6e1420 100755 --- a/hack/sync-bindata.sh +++ b/hack/sync-bindata.sh @@ -228,19 +228,6 @@ subjects: name: ${OPERATOR_NAME}-controller-manager namespace: '{{ .OperatorNamespace }}' --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ${OPERATOR_NAME}-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ${OPERATOR_NAME}-proxy-role -subjects: -- kind: ServiceAccount - name: ${OPERATOR_NAME}-controller-manager - namespace: '{{ .OperatorNamespace }}' ---- apiVersion: v1 kind: Service metadata: