Delete unnecessary k8s resource access permissions

backguynn · backguynn · commit 94f3cabe925a · 2024-10-29T11:49:34.000+09:00
diff --git a/managers/ingress.go b/managers/ingress.go
@@ -68,7 +68,7 @@ func (r *LoxilbIngressReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 	}
 
 	ingress := &netv1.Ingress{}
-	err = r.Client.Get(ctx, req.NamespacedName, ingress)
+	err = r.Get(ctx, req.NamespacedName, ingress)
 	if err != nil {
 		// Ingress is deleted.
 		if errors.IsNotFound(err) {
@@ -186,7 +186,7 @@ func (r *LoxilbIngressReconciler) createLoxiLoadBalancerEndpoints(ctx context.Co
 	}
 
 	ep := &corev1.Endpoints{}
-	if err := r.Client.Get(ctx, key, ep); err != nil {
+	if err := r.Get(ctx, key, ep); err != nil {
 		return loxilbEpList, err
 	}
 
@@ -285,7 +285,7 @@ func (r *LoxilbIngressReconciler) updateIngressStatus(ctx context.Context, ingre
 	}
 
 	svc := &corev1.Service{}
-	if err := r.Client.Get(ctx, lbSvcKey, svc); err != nil {
+	if err := r.Get(ctx, lbSvcKey, svc); err != nil {
 		return err
 	}
 
@@ -310,7 +310,7 @@ func (r *LoxilbIngressReconciler) updateIngressStatus(ctx context.Context, ingre
 		ingress.Status.LoadBalancer.Ingress = append(ingress.Status.LoadBalancer.Ingress, newIngressLoadBalancerIngress)
 	}
 
-	return r.Client.Status().Update(ctx, ingress)
+	return r.Status().Update(ctx, ingress)
 }
 
 func (r *LoxilbIngressReconciler) checkIngressLoadBalancerIngressExist(ingress *netv1.Ingress, serviceIngress corev1.LoadBalancerIngress) bool {
diff --git a/manifests/loxilb-ingress-deploy.yml b/manifests/loxilb-ingress-deploy.yml
@@ -15,106 +15,6 @@ metadata:
   name: loxilb-ingress
   namespace: kube-system
 ---
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: loxilb-ingress
-  namespace: kube-system
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - get
-      - watch
-      - list
-      - patch
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-    verbs:
-      - get
-      - watch
-      - list
-      - patch
-  - apiGroups:
-      - ""
-    resources:
-      - endpoints
-      - services
-      - services/status
-    verbs:
-      - get
-      - watch
-      - list
-      - patch
-      - update
-  - apiGroups:
-      - discovery.k8s.io
-    resources:
-      - endpointslices
-    verbs:
-      - get
-      - watch
-      - list
-  - apiGroups:
-      - authentication.k8s.io
-    resources:
-      - tokenreviews
-    verbs:
-      - create
-  - apiGroups:
-      - authorization.k8s.io
-    resources:
-      - subjectaccessreviews
-    verbs:
-      - create
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - coordination.k8s.io
-    resources:
-      - leases
-    verbs:
-      - create
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-  - apiGroups:
-      - discovery.k8s.io
-    resources:
-      - endpointslices
-    verbs:
-      - list
-      - watch
-      - get
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -123,18 +23,6 @@ metadata:
     app.kubernetes.io/name: loxilb-ingress
   name: loxilb-ingress
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - endpoints
-  - nodes
-  - pods
-  - secrets
-  - namespaces
-  verbs:
-  - list
-  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:
@@ -145,12 +33,7 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - nodes
-  verbs:
-  - get
-- apiGroups:
-  - ""
-  resources:
+  - endpoints
   - services
   verbs:
   - get
@@ -196,23 +79,6 @@ rules:
   - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/instance: loxilb-ingress
-    app.kubernetes.io/name: loxilb-ingress
-  name: loxilb-ingress
-  namespace: kube-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: loxilb-ingress
-subjects:
-- kind: ServiceAccount
-  name: loxilb-ingress
-  namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:

Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ func (r *LoxilbIngressReconciler) Reconcile(ctx context.Context, req ctrl.Reques`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`ingress := &netv1.Ingress{}`
`71`		`- err = r.Client.Get(ctx, req.NamespacedName, ingress)`
	`71`	`+ err = r.Get(ctx, req.NamespacedName, ingress)`
`72`	`72`	`if err != nil {`
`73`	`73`	`// Ingress is deleted.`
`74`	`74`	`if errors.IsNotFound(err) {`
`@@ -186,7 +186,7 @@ func (r *LoxilbIngressReconciler) createLoxiLoadBalancerEndpoints(ctx context.Co`
`186`	`186`	`}`
`187`	`187`
`188`	`188`	`ep := &corev1.Endpoints{}`
`189`		`- if err := r.Client.Get(ctx, key, ep); err != nil {`
	`189`	`+ if err := r.Get(ctx, key, ep); err != nil {`
`190`	`190`	`return loxilbEpList, err`
`191`	`191`	`}`
`192`	`192`
`@@ -285,7 +285,7 @@ func (r *LoxilbIngressReconciler) updateIngressStatus(ctx context.Context, ingre`
`285`	`285`	`}`
`286`	`286`
`287`	`287`	`svc := &corev1.Service{}`
`288`		`- if err := r.Client.Get(ctx, lbSvcKey, svc); err != nil {`
	`288`	`+ if err := r.Get(ctx, lbSvcKey, svc); err != nil {`
`289`	`289`	`return err`
`290`	`290`	`}`
`291`	`291`
`@@ -310,7 +310,7 @@ func (r *LoxilbIngressReconciler) updateIngressStatus(ctx context.Context, ingre`
`310`	`310`	`ingress.Status.LoadBalancer.Ingress = append(ingress.Status.LoadBalancer.Ingress, newIngressLoadBalancerIngress)`
`311`	`311`	`}`
`312`	`312`
`313`		`- return r.Client.Status().Update(ctx, ingress)`
	`313`	`+ return r.Status().Update(ctx, ingress)`
`314`	`314`	`}`
`315`	`315`
`316`	`316`	`func (r LoxilbIngressReconciler) checkIngressLoadBalancerIngressExist(ingress netv1.Ingress, serviceIngress corev1.LoadBalancerIngress) bool {`