search

vmware-archive / operator-builder

A Kubebuilder plugin to accelerate the development of Kubernetes operators
MIT License
41 stars 6 forks source link

feat: support non resource urls for roles #274

Closed scottd018 closed 2 years ago

scottd018 commented 2 years ago

Given the current manifest:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: fluent-bit-role
rules:
  - nonResourceURLs:
      - /metrics
    verbs:
      - get
  - apiGroups: [""]
    resources:
      - namespaces
      - pods
      - pods/logs
    verbs: ["get", "list", "watch"]

The following error occurs:

failed to create API: unable to inject the resource to "config.operatorbuilder.io/v1": unable to inject resource into .source/config/collection.yaml, unable to convert to []interface{}; unable to convert to []string; error converting rbac groups for rule map[nonResourceURLs:[/metrics] verbs:[get]]; error processing rbac role rule [map[nonResourceURLs:[/metrics] verbs:[get]] map[apiGroups:[] resources:[namespaces pods pods/logs] verbs:[get list watch]]]

This is because non resource urls are not supported. We should support them via the following kubebuilder rbac marker.

https://pkg.go.dev/sigs.k8s.io/controller-tools/pkg/rbac