fixup: make RBAC the same as on main branch

Signed-off-by: Angel Misevski <[email protected]>

Author: amisevsk

config/components/rbac/role.yaml

@@ -15,13 +15,25 @@ rules:
   - secrets
   - serviceaccounts
   verbs:
-  - create
-  - delete
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
   - get
-  - list
-  - patch
-  - update
-  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - '*'
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
@@ -37,62 +49,58 @@ rules:
   - watch
 - apiGroups:
   - apps
+  resourceNames:
+  - devworkspace-controller
+  resources:
+  - deployments/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - apps
+  - extensions
   resources:
   - deployments
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
-  - batch
+  - apps
+  - extensions
   resources:
-  - jobs
+  - deployments
+  - replicasets
   verbs:
-  - create
-  - delete
-  - get
-  - update
-  - watch
+  - '*'
 - apiGroups:
-  - controller.devfile.io
+  - apps
+  - extensions
   resources:
-  - components
+  - replicasets
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
-  - controller.devfile.io
+  - batch
   resources:
-  - components/finalizers
+  - jobs
   verbs:
   - create
   - delete
   - get
-  - list
-  - patch
   - update
   - watch
 - apiGroups:
   - controller.devfile.io
   resources:
-  - components/status
+  - '*'
   verbs:
-  - get
-  - patch
-  - update
+  - '*'
 - apiGroups:
   - controller.devfile.io
   resources:
-  - workspaceroutings
+  - components
   verbs:
   - create
   - delete
@@ -104,39 +112,29 @@ rules:
 - apiGroups:
   - controller.devfile.io
   resources:
-  - workspaceroutings/finalizers
+  - components/status
   verbs:
-  - create
-  - delete
   - get
-  - list
   - patch
   - update
-  - watch
 - apiGroups:
   - controller.devfile.io
   resources:
-  - workspaceroutings/status
+  - workspaceroutings
   verbs:
-  - get
-  - patch
-  - update
+  - '*'
 - apiGroups:
-  - ""
+  - controller.devfile.io
   resources:
-  - configmap
+  - workspaceroutings/status
   verbs:
-  - create
-  - delete
   - get
-  - list
   - patch
   - update
-  - watch
 - apiGroups:
   - ""
   resources:
-  - services
+  - configmap
   verbs:
   - create
   - delete
@@ -150,13 +148,14 @@ rules:
   resources:
   - ingresses
   verbs:
+  - '*'
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  verbs:
   - create
-  - delete
   - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - oauth.openshift.io
   resources:
@@ -188,42 +187,16 @@ rules:
   resources:
   - routes
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
+  - '*'
 - apiGroups:
-  - workspace.devfile.io
-  resources:
-  - devworkspaces
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - workspace.devfile.io
+  - route.openshift.io
   resources:
-  - devworkspaces/finalizers
+  - routes/custom-host
   verbs:
   - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - workspace.devfile.io
   resources:
-  - devworkspaces/status
+  - '*'
   verbs:
-  - get
-  - patch
-  - update
+  - '*'

controllers/controller/workspacerouting/workspacerouting_controller.go

@@ -43,11 +43,13 @@ type WorkspaceRoutingReconciler struct {
 	Scheme *runtime.Scheme
 }
 
-// +kubebuilder:rbac:groups=controller.devfile.io,resources=workspaceroutings,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=controller.devfile.io,resources=workspaceroutings,verbs=*
 // +kubebuilder:rbac:groups=controller.devfile.io,resources=workspaceroutings/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=extensions,resources=ingresses,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups="",resources=services,verbs=*
+// +kubebuilder:rbac:groups=extensions,resources=ingresses,verbs=*
+// +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=*
+// +kubebuidler:rbac:groups=route.openshift.io,resources=routes/status,verbs=get,list,watch
+// +kubebuilder:rbac:groups=route.openshift.io,resources=routes/custom-host,verbs=create
 
 func (r *WorkspaceRoutingReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	ctx := context.Background()

controllers/workspace/devworkspace_controller.go

@@ -56,21 +56,23 @@ type DevWorkspaceReconciler struct {
 	Scheme *runtime.Scheme
 }
 
-// +kubebuilder:rbac:groups=workspace.devfile.io,resources=devworkspaces,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=workspace.devfile.io,resources=devworkspaces/finalizers,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=workspace.devfile.io,resources=devworkspaces/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=controller.devfile.io,resources=components,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=controller.devfile.io,resources=components/finalizers,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=controller.devfile.io,resources=components/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=controller.devfile.io,resources=workspaceroutings,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=controller.devfile.io,resources=workspaceroutings/finalizers,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=controller.devfile.io,resources=workspaceroutings/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups="",resources=pods;serviceaccounts;secrets;configmaps;persistentvolumeclaims,verbs=get;list;watch;create;update;patch;delete
+/////// CRD-related RBAC roles
+// +kubebuilder:rbac:groups=workspace.devfile.io,resources=*,verbs=*
+// +kubebuilder:rbac:groups=controller.devfile.io,resources=*,verbs=*
+/////// Required permissions for controller
+// +kubebuilder:rbac:groups=apps;extensions,resources=deployments;replicasets,verbs=*
+// +kubebuilder:rbac:groups="",resources=pods;serviceaccounts;secrets;configmaps;persistentvolumeclaims,verbs=*
+// +kubebuilder:rbac:groups="",resources=namespaces,verbs=get
 // +kubebuilder:rbac:groups="batch",resources=jobs,verbs=get;create;watch;update;delete
 // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations;validatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings;clusterroles;clusterrolebindings,verbs=get;list;watch;create;update
 // +kubebuilder:rbac:groups=oauth.openshift.io,resources=oauthclients,verbs=get;list;watch;create;update;patch;delete;deletecollection
+// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;create
+// +kubebuilder:rbac:groups=apps,resourceNames=devworkspace-controller,resources=deployments/finalizers,verbs=update
+/////// Required permissions for workspace ServiceAccount
+// +kubebuilder:rbac:groups="",resources=pods/exec,verbs=create
+// +kubebuilder:rbac:groups=apps;extensions,resources=replicasets,verbs=get;list;watch
+// +kubebuilder:rbac:groups=apps;extensions,resources=deployments,verbs=get;list;watch
 
 func (r *DevWorkspaceReconciler) Reconcile(req ctrl.Request) (reconcileResult ctrl.Result, err error) {
 	ctx := context.Background()