From 5febfe55b01b55af6d6b078e9d6b4d0936b4a3b9 Mon Sep 17 00:00:00 2001
From: Fred Rolland <frolland@nvidia.com>
Date: Mon, 18 Sep 2023 12:01:20 +0300
Subject: [PATCH] Revert "Merge pull request #596 from
 adrianchiris/removed-wildcard-permissions"

This reverts commit 1804ba4a595a6c47866f5de9319e3814fbce327f, reversing
changes made to 40af79592080d82cb5708f1dd01e9db4885b5865.

Signed-off-by: Fred Rolland <frolland@nvidia.com>
---
 config/manager/kustomization.yaml           |  5 +++--
 config/rbac/role.yaml                       | 20 +++++++-------------
 controllers/hostdevicenetwork_controller.go |  3 +--
 controllers/ipoibnetwork_controller.go      |  4 ++--
 controllers/macvlannetwork_controller.go    |  4 ++--
 controllers/nicclusterpolicy_controller.go  |  5 ++---
 controllers/upgrade_controller.go           |  4 ++--
 7 files changed, 19 insertions(+), 26 deletions(-)

diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
index b9adbfca..a5e0372a 100644
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@@ -11,5 +11,6 @@ configMapGenerator:
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
-- name: controller
-  newName: mellanox/network-operator
+- digest: sha256:7005fa24a1ae52d927e76d50d90fddf6b6c7b08885a2dad3c7e5e2c2ac21c834
+  name: controller
+  newName: nvcr.io/nvidia/cloud-native/network-operator
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 2036dd7d..e6a397a5 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -158,7 +158,13 @@ rules:
 - apiGroups:
   - k8s.cni.cncf.io
   resources:
-  - network-attachment-definitions
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - mellanox.com
+  resources:
+  - '*'
   verbs:
   - create
   - delete
@@ -227,18 +233,6 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - mellanox.com
-  resources:
-  - nicclusterpolicies
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - monitoring.coreos.com
   resources:
diff --git a/controllers/hostdevicenetwork_controller.go b/controllers/hostdevicenetwork_controller.go
index 88fd297d..727113d4 100644
--- a/controllers/hostdevicenetwork_controller.go
+++ b/controllers/hostdevicenetwork_controller.go
@@ -48,10 +48,9 @@ type HostDeviceNetworkReconciler struct {
 	stateManager state.Manager
 }
 
-//nolint:lll
 // +kubebuilder:rbac:groups=mellanox.com,resources=hostdevicenetworks,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=mellanox.com,resources=hostdevicenetworks/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=*,verbs=*
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
diff --git a/controllers/ipoibnetwork_controller.go b/controllers/ipoibnetwork_controller.go
index 358db6af..4f37b58b 100644
--- a/controllers/ipoibnetwork_controller.go
+++ b/controllers/ipoibnetwork_controller.go
@@ -48,10 +48,10 @@ type IPoIBNetworkReconciler struct {
 	stateManager state.Manager
 }
 
-//nolint:lll
 // +kubebuilder:rbac:groups=mellanox.com,resources=ipoibnetworks,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=mellanox.com,resources=ipoibnetworks/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=mellanox.com,resources=*,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=*,verbs=*
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
diff --git a/controllers/macvlannetwork_controller.go b/controllers/macvlannetwork_controller.go
index d23510fa..2f27f46f 100644
--- a/controllers/macvlannetwork_controller.go
+++ b/controllers/macvlannetwork_controller.go
@@ -50,10 +50,10 @@ type MacvlanNetworkReconciler struct {
 	stateManager state.Manager
 }
 
-//nolint:lll
 // +kubebuilder:rbac:groups=mellanox.com,resources=macvlannetworks,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=mellanox.com,resources=macvlannetworks/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=mellanox.com,resources=*,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=*,verbs=*
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
diff --git a/controllers/nicclusterpolicy_controller.go b/controllers/nicclusterpolicy_controller.go
index 43b53fc2..47b65507 100644
--- a/controllers/nicclusterpolicy_controller.go
+++ b/controllers/nicclusterpolicy_controller.go
@@ -54,9 +54,8 @@ type NicClusterPolicyReconciler struct {
 }
 
 // In case of adding support for additional types, also update in getSupportedGVKs func in pkg/state/state_skel.go
-
-//nolint:lll
-// +kubebuilder:rbac:groups=mellanox.com,resources=nicclusterpolicies,verbs=get;list;watch;create;update;patch;delete
+//nolint
+// +kubebuilder:rbac:groups=mellanox.com,resources=*,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=security.openshift.io,resourceNames=privileged,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=policy,resources=podsecuritypolicies,verbs=get;list;watch;create;update;patch;delete
diff --git a/controllers/upgrade_controller.go b/controllers/upgrade_controller.go
index 259f7a20..41166057 100644
--- a/controllers/upgrade_controller.go
+++ b/controllers/upgrade_controller.go
@@ -59,8 +59,8 @@ const plannedRequeueInterval = time.Minute * 2
 // UpgradeStateAnnotation is kept for backwards cleanup TODO: drop in 2 releases
 const UpgradeStateAnnotation = "nvidia.com/ofed-upgrade-state"
 
-//nolint:lll
-// +kubebuilder:rbac:groups=mellanox.com,resources=nicclusterpolicies,verbs=get;list;watch;create;update;patch;delete
+//nolint
+// +kubebuilder:rbac:groups=mellanox.com,resources=*,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups="",resources=pods,verbs=list
 // +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets;controllerrevisions,verbs=get;list;watch;create;update;patch;delete