controller: add rbac for watching generated resources

xdavidwu · May 2, 2024 · 2faa07a · 2faa07a
1 parent 8766cef
commit 2faa07a
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -37,28 +37,36 @@ rules:
   verbs:
   - create
   - get
+  - list
   - patch
+  - watch
 - apiGroups:
   - ""
   resources:
   - serviceaccounts
   verbs:
   - create
+  - list
   - patch
+  - watch
 - apiGroups:
   - ""
   resources:
   - services
   verbs:
   - create
+  - list
   - patch
+  - watch
 - apiGroups:
   - apps
   resources:
   - deployments
   verbs:
   - create
+  - list
   - patch
+  - watch
 - apiGroups:
   - kube-cgi.aic.cs.nycu.edu.tw
   resources:
@@ -98,11 +106,15 @@ rules:
   - ingresses
   verbs:
   - create
+  - list
   - patch
+  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
   - rolebindings
   verbs:
   - create
+  - list
   - patch
+  - watch
diff --git a/internal/controller/apiset_controller.go b/internal/controller/apiset_controller.go
@@ -34,12 +34,12 @@ type APISetReconciler struct {
 //+kubebuilder:rbac:groups=kube-cgi.aic.cs.nycu.edu.tw,resources=apisets/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=kube-cgi.aic.cs.nycu.edu.tw,resources=apisets/finalizers,verbs=update
 
-//+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=create;patch
-//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=create;patch
-//+kubebuilder:rbac:groups=apps,resources=deployments,verbs=create;patch
-//+kubebuilder:rbac:groups="",resources=services,verbs=create;patch
-//+kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=create;patch
-//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;create;patch
+//+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=list;watch;create;patch
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=list;watch;create;patch
+//+kubebuilder:rbac:groups=apps,resources=deployments,verbs=list;watch;create;patch
+//+kubebuilder:rbac:groups="",resources=services,verbs=list;watch;create;patch
+//+kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=list;watch;create;patch
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=list;watch;get;create;patch
 //+kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=create;patch
 
 // rbac in internal/cgid is also set on manager to be able to bind