diff --git a/.chloggen/fix_clusterrole-permissions.yaml b/.chloggen/fix_clusterrole-permissions.yaml new file mode 100755 index 0000000000..1404375ea8 --- /dev/null +++ b/.chloggen/fix_clusterrole-permissions.yaml @@ -0,0 +1,16 @@ +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: bug_fix + +# The name of the component, or a single word describing the area of concern, (e.g. operator, target allocator, github action) +component: operator + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Fix ClusterRole and ClusterRoleBinding reconciliation + +# One or more tracking issues related to the change +issues: [2525] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: diff --git a/bundle/manifests/opentelemetry-operator.clusterserviceversion.yaml b/bundle/manifests/opentelemetry-operator.clusterserviceversion.yaml index 1ee83f8934..8694888ef4 100644 --- a/bundle/manifests/opentelemetry-operator.clusterserviceversion.yaml +++ b/bundle/manifests/opentelemetry-operator.clusterserviceversion.yaml @@ -65,7 +65,7 @@ metadata: categories: Logging & Tracing,Monitoring certified: "false" containerImage: ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator - createdAt: "2024-01-12T11:13:24Z" + createdAt: "2024-01-17T15:53:32Z" description: Provides the OpenTelemetry components, including the Collector operators.operatorframework.io/builder: operator-sdk-v1.29.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 @@ -351,19 +351,6 @@ spec: - patch - update - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - route.openshift.io resources: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 5176137b9d..c2b96f80a7 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -184,19 +184,6 @@ rules: - patch - update - watch -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - route.openshift.io resources: diff --git a/controllers/opentelemetrycollector_controller.go b/controllers/opentelemetrycollector_controller.go index c1e7933c07..f5fc4ceb2f 100644 --- a/controllers/opentelemetrycollector_controller.go +++ b/controllers/opentelemetrycollector_controller.go @@ -84,7 +84,6 @@ func NewReconciler(p Params) *OpenTelemetryCollectorReconciler { // +kubebuilder:rbac:groups=apps,resources=daemonsets;deployments;statefulsets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings;clusterroles,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;create;update // +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors;podmonitors,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=get;list;watch;create;update;patch;delete @@ -141,9 +140,12 @@ func (r *OpenTelemetryCollectorReconciler) SetupWithManager(mgr ctrl.Manager) er Owns(&appsv1.DaemonSet{}). Owns(&appsv1.StatefulSet{}). Owns(&autoscalingv2.HorizontalPodAutoscaler{}). - Owns(&policyV1.PodDisruptionBudget{}). - Owns(&rbacv1.ClusterRoleBinding{}). - Owns(&rbacv1.ClusterRole{}) + Owns(&policyV1.PodDisruptionBudget{}) + + if r.config.CreateRBACPermissions() { + builder.Owns(&rbacv1.ClusterRoleBinding{}) + builder.Owns(&rbacv1.ClusterRole{}) + } if featuregate.PrometheusOperatorIsAvailable.IsEnabled() { builder.Owns(&monitoringv1.ServiceMonitor{})