Fix ClusterRole in Helm Chart

The operator needs cluster admin permissions to be able to create other roles. If the operator has not enough permissions the creation of rules will fail with an error: ``` 2024-12-08T22:14:27Z ERROR Reconciler error {"controller": "namespacerole", "controllerGroup": "kobs.io", "controllerKind": "NamespaceRole", "NamespaceRole": {"name":"group-diablo"}, "namespace": "", "name": "group-diablo", "reconcileID": "b7d4905f-dc03-4717-9586-3f84fd8b62fb", "error": "roles.rbac.authorization.k8s.io \"group-diablo\" is forbidden: user \"system:serviceaccount:internal-developer-portal:namespacerole-operator\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:internal-developer-portal\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"*\"], Resources:[\"*\"], Verbs:[\"*\"]}"} sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.2/pkg/internal/controller/controller.go:316 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.2/pkg/internal/controller/controller.go:263 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2 /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.19.2/pkg/internal/controller/controller.go:224 ```
kobsio · Dec 8, 2024 · aa821c7 · aa821c7
1 parent 8748cc7
commit aa821c7
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 75 deletions.
diff --git a/charts/namespacerole-operator/Chart.yaml b/charts/namespacerole-operator/Chart.yaml
@@ -3,5 +3,5 @@ apiVersion: v2
 name: namespacerole-operator
 description: A Kubernetes operator that manages the role-based access control (RBAC) for namespaces
 type: application
-version: 0.1.1
+version: 0.2.0
 appVersion: v0.1.0
diff --git a/charts/namespacerole-operator/templates/clusterrole.yaml b/charts/namespacerole-operator/templates/clusterrole.yaml
@@ -7,81 +7,13 @@ metadata:
     {{- include "namespacerole-operator.labels" . | nindent 4 }}
 rules:
   - apiGroups:
-      - kobs.io
+      - '*'
     resources:
-      - namespacerolebindings
+      - '*'
     verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-  - apiGroups:
-      - kobs.io
-    resources:
-      - namespacerolebindings/finalizers
-    verbs:
-      - update
-  - apiGroups:
-      - kobs.io
-    resources:
-      - namespacerolebindings/status
-    verbs:
-      - get
-      - patch
-      - update
-  - apiGroups:
-      - kobs.io
-    resources:
-      - namespaceroles
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-  - apiGroups:
-      - kobs.io
-    resources:
-      - namespaceroles/finalizers
-    verbs:
-      - update
-  - apiGroups:
-      - kobs.io
-    resources:
-      - namespaceroles/status
-    verbs:
-      - get
-      - patch
-      - update
-  - apiGroups:
-      - rbac.authorization.k8s.io
-    resources:
-      - clusterrolebindings
-      - rolebindings
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-  - apiGroups:
-      - rbac.authorization.k8s.io
-    resources:
-      - clusterroles
-      - roles
+      - '*'
+  - nonResourceURLs:
+      - '*'
     verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
+      - '*'
 {{ end }}