diff --git a/README.adoc b/README.adoc index 72b265f..acfe1a2 100644 --- a/README.adoc +++ b/README.adoc @@ -246,24 +246,26 @@ To add a -crtadmin user for a particular component in member cluster, update the For an admin of the component that needs to manually approve operator updates: ```yaml users: -- name: -crtadmin +- name: -maintainer id: - member: roleBindings: - namespace: roles: - - approve-operator-update + - view-secrets clusterRoles: - - admin + - + - some-extra-permissions clusterRoleBindings: clusterRoles: - - list-operators-group + - some-extra-cluster-scope-permissions ``` +NOTE: The creation of the ClusterRoles is not managed via ksctl, you need to make sure that they are created in the cluster. For a maintainer of the component with limited permissions: ```yaml -- name: -crtadmin +- name: -maintainer id: - member: @@ -275,7 +277,7 @@ For a maintainer of the component with limited permissions: If you need any permissions also in a namespace in host cluster (to be used mainly by KubeSaw maintainers), then include the host section in the user's definition as well: ```yaml -- name: -crtadmin +- name: -maintainer id: - host: diff --git a/pkg/cmd/generate/permissions.go b/pkg/cmd/generate/permissions.go index 8563d5f..1cad906 100644 --- a/pkg/cmd/generate/permissions.go +++ b/pkg/cmd/generate/permissions.go @@ -171,7 +171,7 @@ func ensureServiceAccount(saNamespace string) newSubjectFunc { // ensureUserIdentityAndGroups ensures that all - User, Identity, IdentityMapping, and Group manifests - exist func ensureUserIdentityAndGroups(IDs []string, groups []string) newSubjectFunc { - return func(ctx *clusterContext, cache objectsCache, subjectBaseName, targetNamespace string, labels map[string]string) (rbacv1.Subject, error) { + return func(ctx *clusterContext, cache objectsCache, subjectBaseName, _ string, labels map[string]string) (rbacv1.Subject, error) { // create user user := &userv1.User{ ObjectMeta: metav1.ObjectMeta{ diff --git a/pkg/cmd/generate/permissions_test.go b/pkg/cmd/generate/permissions_test.go index eb6a4c4..917901f 100644 --- a/pkg/cmd/generate/permissions_test.go +++ b/pkg/cmd/generate/permissions_test.go @@ -135,7 +135,7 @@ func TestEnsureUserAndIdentity(t *testing.T) { cache := objectsCache{} // when - subject, err := ensureUserIdentityAndGroups([]string{"12345", "abc:19944:FZZ"}, []string{"crtadmins", "cooladmins"})(ctx, cache, "john-crtadmin", commontest.HostOperatorNs, labels) + subject, err := ensureUserIdentityAndGroups([]string{"12345", "abc:19944:FZZ"}, []string{"crtadmins", "cooladmins"})(ctx, cache, "john-crtadmin", "not-used", labels) // then require.NoError(t, err) @@ -156,7 +156,7 @@ func TestEnsureUserAndIdentity(t *testing.T) { cache := objectsCache{} // when - subject, err := ensureUserIdentityAndGroups([]string{"12345", "abc:19944:FZZ"}, []string{})(ctx, cache, "john-crtadmin", commontest.HostOperatorNs, labels) + subject, err := ensureUserIdentityAndGroups([]string{"12345", "abc:19944:FZZ"}, []string{})(ctx, cache, "john-crtadmin", "not-used", labels) // then require.NoError(t, err) @@ -175,7 +175,7 @@ func TestEnsureUserAndIdentity(t *testing.T) { cache := objectsCache{} // when - _, err := ensureUserIdentityAndGroups([]string{"12345"}, []string{})(ctx, cache, "john-crtadmin", commontest.HostOperatorNs, labels) + _, err := ensureUserIdentityAndGroups([]string{"12345"}, []string{})(ctx, cache, "john-crtadmin", "not-used", labels) // then require.NoError(t, err) diff --git a/resources/roles/member.yaml b/resources/roles/member.yaml index 7c3558e..5532c84 100644 --- a/resources/roles/member.yaml +++ b/resources/roles/member.yaml @@ -4,25 +4,6 @@ metadata: name: member-roles objects: -- kind: Role - apiVersion: rbac.authorization.k8s.io/v1 - metadata: - name: approve-operator-update - labels: - provider: ksctl - rules: - - apiGroups: - - operators.coreos.com - resources: - - "installplans" - verbs: - - "get" - - "list" - - "create" - - "patch" - - "update" - - "delete" - - kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -73,20 +54,3 @@ objects: - "create" - "update" - "patch" - -- kind: Role - apiVersion: rbac.authorization.k8s.io/v1 - metadata: - name: edit-csv - labels: - provider: ksctl - rules: - - apiGroups: - - operators.coreos.com - resources: - - "clusterserviceversions" - verbs: - - "get" - - "list" - - "patch" - - "update" diff --git a/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml b/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml index d29a72a..3f30078 100644 --- a/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml +++ b/test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml @@ -143,13 +143,12 @@ users: member: roleBindings: - namespace: some-component - roles: - - approve-operator-update clusterRoles: - edit + - approve-operator-update # needs to be created separately clusterRoleBindings: clusterRoles: - - list-operators-group + - list-operators-group # needs to be created separately - name: other-component-viewer id: