Fix controller permissions (#20)

* Fix controller permissions

* Allow creating events

* Add rbac.appuio and k8s rbac permissions

config/rbac/role.yaml

@@ -5,12 +5,19 @@ metadata:
   creationTimestamp: null
   name: appuio-keycloak-adapter
 rules:
+- resources:
+  - events
+  verbs:
+  - create
+  - patch
 - apiGroups:
   - appuio.io
   resources:
   - organizationmembers
   verbs:
+  - create
   - get
+  - list
   - patch
   - update
   - watch
@@ -33,7 +40,9 @@ rules:
   resources:
   - teams
   verbs:
+  - create
   - get
+  - list
   - patch
   - update
   - watch
@@ -53,24 +62,40 @@ rules:
   - update
 - apiGroups:
   - organization.appuio.io
+  - rbac.appuio.io
   resources:
   - organizations
   verbs:
+  - create
   - get
+  - list
   - patch
   - update
   - watch
 - apiGroups:
   - organization.appuio.io
+  - rbac.appuio.io
   resources:
   - organizations/finalizers
   verbs:
   - update
 - apiGroups:
   - organization.appuio.io
+  - rbac.appuio.io
   resources:
   - organizations/status
   verbs:
   - get
   - patch
   - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - subjects
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update

controllers/organization_controller.go

@@ -38,13 +38,15 @@ type KeycloakClient interface {
 
 var orgFinalizer = "keycloak-adapter.vshn.net/finalizer"
 
-//+kubebuilder:rbac:groups=organization.appuio.io,resources=organizations,verbs=get;watch;update;patch
-//+kubebuilder:rbac:groups=organization.appuio.io,resources=organizations/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=organization.appuio.io,resources=organizations/finalizers,verbs=update
-//+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers,verbs=get;watch;update;patch
+//+kubebuilder:rbac:groups=organization.appuio.io;rbac.appuio.io,resources=organizations,verbs=get;list;watch;update;patch
+//+kubebuilder:rbac:groups=organization.appuio.io;rbac.appuio.io,resources=organizations/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=organization.appuio.io;rbac.appuio.io,resources=organizations/finalizers,verbs=update
+//+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers,verbs=get;list;watch;update;patch
 //+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers/finalizers,verbs=update
 
+//+kubebuilder:rbac:groups=,resources=events,verbs=create;patch
+
 // Reconcile reacts on changes of Organizations and OrganizationMembers and mirrors these changes to groups in Keycloak
 func (r *OrganizationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := log.FromContext(ctx)

controllers/periodic_syncer.go

@@ -32,6 +32,11 @@ type PeriodicSyncer struct {
 	SyncClusterRoles []string
 }
 
+//+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers,verbs=create
+//+kubebuilder:rbac:groups=appuio.io,resources=teams,verbs=create
+//+kubebuilder:rbac:groups=organization.appuio.io;rbac.appuio.io,resources=organizations,verbs=create
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=subjects;rolebindings,verbs=get;list;create;update;patch
+
 // Sync lists all Keycloak groups in the realm and creates corresponding Organizations if they do not exist
 func (r *PeriodicSyncer) Sync(ctx context.Context) error {
 	logger := log.FromContext(ctx)

controllers/team_controller.go

@@ -23,7 +23,7 @@ type TeamReconciler struct {
 	Keycloak KeycloakClient
 }
 
-//+kubebuilder:rbac:groups=appuio.io,resources=teams,verbs=get;watch;update;patch
+//+kubebuilder:rbac:groups=appuio.io,resources=teams,verbs=get;list;watch;update;patch
 //+kubebuilder:rbac:groups=appuio.io,resources=teams/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=appuio.io,resources=teams/finalizers,verbs=update