diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index e0f4d24e0..7f55420d1 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -205,6 +205,12 @@ rules: - patch - update - watch +- apiGroups: + - mellanox.com + resources: + - hostdevicenetworks/finalizers + verbs: + - update - apiGroups: - mellanox.com resources: @@ -225,6 +231,12 @@ rules: - patch - update - watch +- apiGroups: + - mellanox.com + resources: + - ipoibnetworks/finalizers + verbs: + - update - apiGroups: - mellanox.com resources: @@ -245,6 +257,12 @@ rules: - patch - update - watch +- apiGroups: + - mellanox.com + resources: + - macvlannetworks/finalizers + verbs: + - update - apiGroups: - mellanox.com resources: @@ -266,6 +284,12 @@ rules: - patch - update - watch +- apiGroups: + - mellanox.com + resources: + - nicclusterpolicies/finalizers + verbs: + - update - apiGroups: - monitoring.coreos.com resources: diff --git a/controllers/hostdevicenetwork_controller.go b/controllers/hostdevicenetwork_controller.go index 88fd297d2..1e4b15f36 100644 --- a/controllers/hostdevicenetwork_controller.go +++ b/controllers/hostdevicenetwork_controller.go @@ -50,6 +50,7 @@ type HostDeviceNetworkReconciler struct { //nolint:lll // +kubebuilder:rbac:groups=mellanox.com,resources=hostdevicenetworks,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=mellanox.com,resources=hostdevicenetworks/finalizers,verbs=update // +kubebuilder:rbac:groups=mellanox.com,resources=hostdevicenetworks/status,verbs=get;update;patch // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;create;update;patch;delete diff --git a/controllers/ipoibnetwork_controller.go b/controllers/ipoibnetwork_controller.go index 358db6afb..fa027c115 100644 --- a/controllers/ipoibnetwork_controller.go +++ b/controllers/ipoibnetwork_controller.go @@ -50,6 +50,7 @@ type IPoIBNetworkReconciler struct { //nolint:lll // +kubebuilder:rbac:groups=mellanox.com,resources=ipoibnetworks,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=mellanox.com,resources=ipoibnetworks/finalizers,verbs=update // +kubebuilder:rbac:groups=mellanox.com,resources=ipoibnetworks/status,verbs=get;update;patch // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;create;update;patch;delete diff --git a/controllers/macvlannetwork_controller.go b/controllers/macvlannetwork_controller.go index d23510fa9..973f52bb5 100644 --- a/controllers/macvlannetwork_controller.go +++ b/controllers/macvlannetwork_controller.go @@ -52,6 +52,7 @@ type MacvlanNetworkReconciler struct { //nolint:lll // +kubebuilder:rbac:groups=mellanox.com,resources=macvlannetworks,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=mellanox.com,resources=macvlannetworks/finalizers,verbs=update // +kubebuilder:rbac:groups=mellanox.com,resources=macvlannetworks/status,verbs=get;update;patch // +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;create;update;patch;delete diff --git a/controllers/nicclusterpolicy_controller.go b/controllers/nicclusterpolicy_controller.go index d5f9db494..c0a319171 100644 --- a/controllers/nicclusterpolicy_controller.go +++ b/controllers/nicclusterpolicy_controller.go @@ -59,6 +59,7 @@ type NicClusterPolicyReconciler struct { //nolint:lll // +kubebuilder:rbac:groups=mellanox.com,resources=nicclusterpolicies;nicclusterpolicies/status,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=mellanox.com,resources=nicclusterpolicies/finalizers,verbs=update // +kubebuilder:rbac:groups=security.openshift.io,resourceNames=privileged,resources=securitycontextconstraints,verbs=use // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=policy,resources=podsecuritypolicies,verbs=get;list;watch;create;update;patch;delete diff --git a/deployment/network-operator/templates/role.yaml b/deployment/network-operator/templates/role.yaml index 6c76b7a5c..547646acf 100644 --- a/deployment/network-operator/templates/role.yaml +++ b/deployment/network-operator/templates/role.yaml @@ -80,6 +80,18 @@ rules: - patch - update - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - apiextensions.k8s.io resources: @@ -141,6 +153,19 @@ rules: - patch - update - watch +- apiGroups: + - cert-manager.io + resources: + - certificates + - issuers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - config.openshift.io resources: @@ -173,13 +198,7 @@ rules: - apiGroups: - k8s.cni.cncf.io resources: - - '*' - verbs: - - '*' -- apiGroups: - - mellanox.com - resources: - - '*' + - network-attachment-definitions verbs: - create - delete @@ -200,6 +219,12 @@ rules: - patch - update - watch +- apiGroups: + - mellanox.com + resources: + - hostdevicenetworks/finalizers + verbs: + - update - apiGroups: - mellanox.com resources: @@ -220,6 +245,12 @@ rules: - patch - update - watch +- apiGroups: + - mellanox.com + resources: + - ipoibnetworks/finalizers + verbs: + - update - apiGroups: - mellanox.com resources: @@ -240,6 +271,12 @@ rules: - patch - update - watch +- apiGroups: + - mellanox.com + resources: + - macvlannetworks/finalizers + verbs: + - update - apiGroups: - mellanox.com resources: @@ -248,6 +285,25 @@ rules: - get - patch - update +- apiGroups: + - mellanox.com + resources: + - nicclusterpolicies + - nicclusterpolicies/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mellanox.com + resources: + - nicclusterpolicies/finalizers + verbs: + - update - apiGroups: - monitoring.coreos.com resources: @@ -333,28 +389,3 @@ rules: - patch - update - watch -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - cert-manager.io - resources: - - certificates - - issuers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch