From 7e63fdb7cf5b1683052b76a552f28f6343b2fd4b Mon Sep 17 00:00:00 2001 From: Oleksii Orel Date: Mon, 4 Jul 2022 14:56:45 +0300 Subject: [PATCH] fix: workspaces policies (#1429) * fix: workspaces policies Signed-off-by: Oleksii Orel * Update dev resources Signed-off-by: Anatolii Bazko Co-authored-by: Anatolii Bazko --- .../manifests/che-operator.clusterserviceversion.yaml | 1 + config/rbac/cluster_role.yaml | 1 + deploy/deployment/kubernetes/combined.yaml | 1 + .../deployment/kubernetes/objects/che-operator.ClusterRole.yaml | 1 + deploy/deployment/openshift/combined.yaml | 1 + .../deployment/openshift/objects/che-operator.ClusterRole.yaml | 1 + helmcharts/next/templates/che-operator.ClusterRole.yaml | 1 + pkg/deploy/rbac/workspace_permissions.go | 2 +- 8 files changed, 8 insertions(+), 1 deletion(-) diff --git a/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml index 7344c4679..21241184f 100644 --- a/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml @@ -541,6 +541,7 @@ spec: - pods/exec verbs: - create + - get - apiGroups: - apps resources: diff --git a/config/rbac/cluster_role.yaml b/config/rbac/cluster_role.yaml index ec33c0047..8a39d38f9 100644 --- a/config/rbac/cluster_role.yaml +++ b/config/rbac/cluster_role.yaml @@ -156,6 +156,7 @@ rules: - pods/exec verbs: - create + - get - apiGroups: - apps resources: diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml index 46bbeebcd..3e7c06cce 100644 --- a/deploy/deployment/kubernetes/combined.yaml +++ b/deploy/deployment/kubernetes/combined.yaml @@ -3935,6 +3935,7 @@ rules: - pods/exec verbs: - create + - get - apiGroups: - apps resources: diff --git a/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml b/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml index db6fe3b2d..cc394a6c0 100644 --- a/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml +++ b/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml @@ -155,6 +155,7 @@ rules: - pods/exec verbs: - create + - get - apiGroups: - apps resources: diff --git a/deploy/deployment/openshift/combined.yaml b/deploy/deployment/openshift/combined.yaml index cc7f62507..a88f0ffa0 100644 --- a/deploy/deployment/openshift/combined.yaml +++ b/deploy/deployment/openshift/combined.yaml @@ -3935,6 +3935,7 @@ rules: - pods/exec verbs: - create + - get - apiGroups: - apps resources: diff --git a/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml b/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml index db6fe3b2d..cc394a6c0 100644 --- a/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml +++ b/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml @@ -155,6 +155,7 @@ rules: - pods/exec verbs: - create + - get - apiGroups: - apps resources: diff --git a/helmcharts/next/templates/che-operator.ClusterRole.yaml b/helmcharts/next/templates/che-operator.ClusterRole.yaml index db6fe3b2d..cc394a6c0 100644 --- a/helmcharts/next/templates/che-operator.ClusterRole.yaml +++ b/helmcharts/next/templates/che-operator.ClusterRole.yaml @@ -155,6 +155,7 @@ rules: - pods/exec verbs: - create + - get - apiGroups: - apps resources: diff --git a/pkg/deploy/rbac/workspace_permissions.go b/pkg/deploy/rbac/workspace_permissions.go index 2a8b2e76b..50a2e5a2a 100644 --- a/pkg/deploy/rbac/workspace_permissions.go +++ b/pkg/deploy/rbac/workspace_permissions.go @@ -269,7 +269,7 @@ func (c *WorkspacePermissionsReconciler) getWorkspacesPolicies() []rbacv1.Policy { APIGroups: []string{""}, Resources: []string{"pods/exec"}, - Verbs: []string{"create"}, + Verbs: []string{"get", "create"}, }, { APIGroups: []string{""},