From a7433341cb1f4c77442c32562956aac45909199f Mon Sep 17 00:00:00 2001
From: Sebastian Widmer <widmer.sebastian@gmail.com>
Date: Fri, 11 Mar 2022 17:32:39 +0100
Subject: [PATCH] Fix controller permissions (#20)

* Fix controller permissions

* Allow creating events

* Add rbac.appuio and k8s rbac permissions
---
 config/rbac/role.yaml                  | 25 +++++++++++++++++++++++++
 controllers/organization_controller.go | 10 ++++++----
 controllers/periodic_syncer.go         |  5 +++++
 controllers/team_controller.go         |  2 +-
 4 files changed, 37 insertions(+), 5 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 2fe8f15..9c59517 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -5,12 +5,19 @@ metadata:
   creationTimestamp: null
   name: appuio-keycloak-adapter
 rules:
+- resources:
+  - events
+  verbs:
+  - create
+  - patch
 - apiGroups:
   - appuio.io
   resources:
   - organizationmembers
   verbs:
+  - create
   - get
+  - list
   - patch
   - update
   - watch
@@ -33,7 +40,9 @@ rules:
   resources:
   - teams
   verbs:
+  - create
   - get
+  - list
   - patch
   - update
   - watch
@@ -53,24 +62,40 @@ rules:
   - update
 - apiGroups:
   - organization.appuio.io
+  - rbac.appuio.io
   resources:
   - organizations
   verbs:
+  - create
   - get
+  - list
   - patch
   - update
   - watch
 - apiGroups:
   - organization.appuio.io
+  - rbac.appuio.io
   resources:
   - organizations/finalizers
   verbs:
   - update
 - apiGroups:
   - organization.appuio.io
+  - rbac.appuio.io
   resources:
   - organizations/status
   verbs:
   - get
   - patch
   - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - subjects
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
diff --git a/controllers/organization_controller.go b/controllers/organization_controller.go
index 6fc6caf..2d91e29 100644
--- a/controllers/organization_controller.go
+++ b/controllers/organization_controller.go
@@ -38,13 +38,15 @@ type KeycloakClient interface {
 
 var orgFinalizer = "keycloak-adapter.vshn.net/finalizer"
 
-//+kubebuilder:rbac:groups=organization.appuio.io,resources=organizations,verbs=get;watch;update;patch
-//+kubebuilder:rbac:groups=organization.appuio.io,resources=organizations/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=organization.appuio.io,resources=organizations/finalizers,verbs=update
-//+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers,verbs=get;watch;update;patch
+//+kubebuilder:rbac:groups=organization.appuio.io;rbac.appuio.io,resources=organizations,verbs=get;list;watch;update;patch
+//+kubebuilder:rbac:groups=organization.appuio.io;rbac.appuio.io,resources=organizations/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=organization.appuio.io;rbac.appuio.io,resources=organizations/finalizers,verbs=update
+//+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers,verbs=get;list;watch;update;patch
 //+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers/finalizers,verbs=update
 
+//+kubebuilder:rbac:groups=,resources=events,verbs=create;patch
+
 // Reconcile reacts on changes of Organizations and OrganizationMembers and mirrors these changes to groups in Keycloak
 func (r *OrganizationReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := log.FromContext(ctx)
diff --git a/controllers/periodic_syncer.go b/controllers/periodic_syncer.go
index f406db8..31a146a 100644
--- a/controllers/periodic_syncer.go
+++ b/controllers/periodic_syncer.go
@@ -32,6 +32,11 @@ type PeriodicSyncer struct {
 	SyncClusterRoles []string
 }
 
+//+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers,verbs=create
+//+kubebuilder:rbac:groups=appuio.io,resources=teams,verbs=create
+//+kubebuilder:rbac:groups=organization.appuio.io;rbac.appuio.io,resources=organizations,verbs=create
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=subjects;rolebindings,verbs=get;list;create;update;patch
+
 // Sync lists all Keycloak groups in the realm and creates corresponding Organizations if they do not exist
 func (r *PeriodicSyncer) Sync(ctx context.Context) error {
 	logger := log.FromContext(ctx)
diff --git a/controllers/team_controller.go b/controllers/team_controller.go
index 274489a..ad733bd 100644
--- a/controllers/team_controller.go
+++ b/controllers/team_controller.go
@@ -23,7 +23,7 @@ type TeamReconciler struct {
 	Keycloak KeycloakClient
 }
 
-//+kubebuilder:rbac:groups=appuio.io,resources=teams,verbs=get;watch;update;patch
+//+kubebuilder:rbac:groups=appuio.io,resources=teams,verbs=get;list;watch;update;patch
 //+kubebuilder:rbac:groups=appuio.io,resources=teams/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=appuio.io,resources=teams/finalizers,verbs=update