Fix#38 (redhat-cop#39)

* fix redhat-cop#30 Signed-off-by: raffaelespazzoli <[email protected]> * fix redhat-cop#38 Signed-off-by: raffaelespazzoli <[email protected]>
warmchang · Jul 28, 2022 · 64c916b · 64c916b
1 parent 988e3bf
commit 64c916b
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 7 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -49,6 +49,12 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - '*'
+  verbs:
+  - impersonate
 - apiGroups:
   - redhatcop.redhat.io
   resources:

diff --git a/controllers/customresourcedefinition_controller.go b/controllers/customresourcedefinition_controller.go
@@ -69,7 +69,6 @@ func (r *CustomResourceDefinitionReconciler) setModels(openapiModels openapi.Mod
 }
 
 //+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch
-//+kubebuilder:rbac:groups="",resources=users;groups;serviceaccounts,verbs=impersonate
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

diff --git a/controllers/patch_controller.go b/controllers/patch_controller.go
@@ -49,8 +49,10 @@ type PatchReconciler struct {
 //+kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;create;patch
 //+kubebuilder:rbac:groups="",resources=serviceaccounts;secrets,verbs=get;list;watch
 
-// needed by the pacth webhook
+// needed by the patch webhook
 //+kubebuilder:rbac:groups="*",resources="*",verbs=get;list;watch
+//+kubebuilder:rbac:groups="",resources=users;groups;serviceaccounts,verbs=impersonate
+//+kubebuilder:rbac:groups="authentication.k8s.io",resources=*,verbs=impersonate
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

diff --git a/readme.md b/readme.md
@@ -18,6 +18,9 @@ The patch operator helps with defining patches in a declarative way. This operat
   - [Creation-time patch injection](#creation-time-patch-injection)
     - [Security Considerations](#security-considerations)
     - [Installing the creation time webhook](#installing-the-creation-time-webhook)
+      - [Enabling creation time time webhook (OLM)](#enabling-creation-time-time-webhook-olm)
+      - [Enabling creation time time webhook (Helm)](#enabling-creation-time-time-webhook-helm)
+      - [Webhook rules](#webhook-rules)
   - [Runtime patch enforcement](#runtime-patch-enforcement)
     - [Patch Controller Security Considerations](#patch-controller-security-considerations)
     - [Patch Controller Performance Considerations](#patch-controller-performance-considerations)
@@ -188,9 +191,7 @@ spec:
       targetObjectRef:
         apiVersion: admissionregistration.k8s.io/v1
         kind: MutatingWebhookConfiguration
-        labelSelector:
-          matchLabels:
-            redhat-cop.redhat.io/patch-operator: "true"
+        name: patch-operator-inject
       patchTemplate: '[{"op": "replace", "path": "/webhooks/0/clientConfig/caBundle", "value":"{{ (index (index . 1).data "olmCAKey") }}"}]'     
       patchType: application/json-patch+json
       sourceObjectRefs:
@@ -210,8 +211,6 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   name: patch-operator-inject
-  labels:
-    redhat-cop.redhat.io/patch-operator: "true"
 webhooks:
 - admissionReviewVersions:
   - v1