Generate RBAC settings declaratively

This allows RBAC settings to be declared as close as possible to their
point of use, which means that, as functions are added and deleted,
permissions will be adjusted "automatically" and we'll avoid keeping
no-longer-needed permissions.

As generated by the operator SDK, the operator ends up with only
cluster roles, but this makes sense since the operator is supposed to
be able to act in any namespace.

Fixes: submariner-io#1105
Signed-off-by: Stephen Kitt <[email protected]>

.yamllint.yml

@@ -21,6 +21,7 @@ ignore: |
   /config/crd/bases/submariner.io_brokers.yaml
   /config/crd/bases/submariner.io_submariners.yaml
   /config/crd/bases/submariner.io_servicediscoveries.yaml
+  /config/rbac/submariner-operator/role.yaml
   /config/manager/kustomization.yaml
   /config/manifests/bases/submariner.clusterserviceversion.yaml
   /bundle

Makefile

@@ -150,7 +150,7 @@ generate: vendor/modules.txt
 
 # Generate manifests e.g. CRD, RBAC etc
 manifests: generate vendor/modules.txt
-	controller-gen $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	controller-gen $(CRD_OPTIONS) rbac:roleName=submariner-operator webhook paths="./..." output:crd:artifacts:config=config/crd/bases output:rbac:artifacts:config=config/rbac/submariner-operator
 
 # test if VERSION matches the semantic versioning rule
 is-semantic-version:

config/rbac/kustomization.yaml

@@ -3,8 +3,6 @@ resources:
   - submariner-operator/service_account.yaml
   - submariner-operator/role.yaml
   - submariner-operator/role_binding.yaml
-  - submariner-operator/cluster_role.yaml
-  - submariner-operator/cluster_role_binding.yaml
   - submariner-gateway/service_account.yaml
   - submariner-gateway/role.yaml
   - submariner-gateway/role_binding.yaml

config/rbac/submariner-operator/role.yaml

@@ -1,63 +1,198 @@
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
   creationTimestamp: null
   name: submariner-operator
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-      - services
-      - services/finalizers
-      - endpoints
-      - persistentvolumeclaims
-      - events
-      - configmaps
-      - secrets
-    verbs:
-      - '*'
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-      - daemonsets
-      - replicasets
-      - statefulsets
-    verbs:
-      - '*'
-  - apiGroups:
-      - monitoring.coreos.com
-    resources:
-      - servicemonitors
-    verbs:
-      - get
-      - create
-  - apiGroups:
-      - apps
-    resourceNames:
-      - submariner-operator
-    resources:
-      - deployments/finalizers
-    verbs:
-      - update
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-    verbs:
-      - get
-  - apiGroups:
-      - apps
-    resources:
-      - replicasets
-    verbs:
-      - get
-  - apiGroups:
-      - submariner.io
-    resources:
-      - '*'
-      - servicediscoveries
-    verbs:
-      - '*'
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - get
+- apiGroups:
+  - rbac
+  resources:
+  - clusterrolebindings
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - rbac
+  resources:
+  - clusterroles
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - rbac
+  resources:
+  - rolebindings
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - rbac
+  resources:
+  - roles
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - submariner.io
+  resources:
+  - brokers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - submariner.io
+  resources:
+  - brokers/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - submariner.io
+  resources:
+  - gateways
+  verbs:
+  - list
+- apiGroups:
+  - submariner.io
+  resources:
+  - gateways
+  - submariners
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - submariner.io
+  resources:
+  - servicediscoveries
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - submariner.io
+  resources:
+  - servicediscoveries/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - submariner.io
+  resources:
+  - submariners
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - submariner.io
+  resources:
+  - submariners/status
+  verbs:
+  - get
+  - patch
+  - update

config/rbac/submariner-operator/role_binding.yaml

@@ -1,12 +1,13 @@
 ---
-kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   name: submariner-operator
 subjects:
   - kind: ServiceAccount
     name: submariner-operator
+    namespace: placeholder
 roleRef:
-  kind: Role
-  name: submariner-operator
   apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: submariner-operator