From d4d21a25354ec7138ebde5c8038187981643650b Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Thu, 7 Mar 2024 11:01:30 +0100 Subject: [PATCH] chore: operator roles sanitizing (#1814) * chore: che-operator roles sanitizing Signed-off-by: Anatolii Bazko --- build/scripts/minikube-tests/common.sh | 2 + .../test-operator-from-sources.sh | 3 + .../che-operator.clusterserviceversion.yaml | 447 ++++------------- .../che-operator.clusterserviceversion.yaml | 2 +- .../rbac/auth_proxy_client_clusterrole.yaml | 21 - config/rbac/auth_proxy_role.yaml | 29 -- config/rbac/auth_proxy_role_binding.yaml | 24 - config/rbac/auth_proxy_service.yaml | 26 - config/rbac/checluster_editor_role.yaml | 36 -- config/rbac/checluster_viewer_role.yaml | 32 -- config/rbac/cluster_role.yaml | 262 ++++------ config/rbac/kustomization.yaml | 2 - config/rbac/leader_election_role.yaml | 56 --- config/rbac/leader_election_role_binding.yaml | 29 -- config/rbac/role.yaml | 198 ++------ config/rbac/role_binding.yaml | 4 +- .../usernamespace/namespacecache_test.go | 2 - deploy/deployment/kubernetes/combined.yaml | 471 ++++-------------- .../che-operator-leader-election.Role.yaml | 54 -- ...-operator-leader-election.RoleBinding.yaml | 29 -- .../objects/che-operator.ClusterRole.yaml | 258 ++++------ .../kubernetes/objects/che-operator.Role.yaml | 166 +----- deploy/deployment/openshift/combined.yaml | 471 ++++-------------- .../che-operator-leader-election.Role.yaml | 54 -- ...-operator-leader-election.RoleBinding.yaml | 29 -- .../objects/che-operator.ClusterRole.yaml | 258 ++++------ .../openshift/objects/che-operator.Role.yaml | 166 +----- .../che-operator-leader-election.Role.yaml | 54 -- ...-operator-leader-election.RoleBinding.yaml | 29 -- .../templates/che-operator.ClusterRole.yaml | 258 ++++------ .../next/templates/che-operator.Role.yaml | 166 +----- main.go | 2 - pkg/common/test/utils.go | 10 +- pkg/deploy/server/rbac.go | 15 - 34 files changed, 765 insertions(+), 2900 deletions(-) delete mode 100644 config/rbac/auth_proxy_client_clusterrole.yaml delete mode 100644 config/rbac/auth_proxy_role.yaml delete mode 100644 config/rbac/auth_proxy_role_binding.yaml delete mode 100644 config/rbac/auth_proxy_service.yaml delete mode 100644 config/rbac/checluster_editor_role.yaml delete mode 100644 config/rbac/checluster_viewer_role.yaml delete mode 100644 config/rbac/leader_election_role.yaml delete mode 100644 config/rbac/leader_election_role_binding.yaml delete mode 100644 deploy/deployment/kubernetes/objects/che-operator-leader-election.Role.yaml delete mode 100644 deploy/deployment/kubernetes/objects/che-operator-leader-election.RoleBinding.yaml delete mode 100644 deploy/deployment/openshift/objects/che-operator-leader-election.Role.yaml delete mode 100644 deploy/deployment/openshift/objects/che-operator-leader-election.RoleBinding.yaml delete mode 100644 helmcharts/next/templates/che-operator-leader-election.Role.yaml delete mode 100644 helmcharts/next/templates/che-operator-leader-election.RoleBinding.yaml diff --git a/build/scripts/minikube-tests/common.sh b/build/scripts/minikube-tests/common.sh index 2cb24d094..ccfa51445 100755 --- a/build/scripts/minikube-tests/common.sh +++ b/build/scripts/minikube-tests/common.sh @@ -215,6 +215,8 @@ spec: - name: ide uri: http://plugin-registry.eclipse-che.svc:8080/v3/plugins/che-incubator/che-code/insiders/devfile.yaml template: + attributes: + controller.devfile.io/storage-type: ephemeral components: - name: tooling-container container: diff --git a/build/scripts/minikube-tests/test-operator-from-sources.sh b/build/scripts/minikube-tests/test-operator-from-sources.sh index 8072233bf..48fe63d1b 100755 --- a/build/scripts/minikube-tests/test-operator-from-sources.sh +++ b/build/scripts/minikube-tests/test-operator-from-sources.sh @@ -16,6 +16,9 @@ set -e OPERATOR_REPO=$(dirname "$(dirname "$(dirname "$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")")")") source "${OPERATOR_REPO}/build/scripts/minikube-tests/common.sh" +# Stop execution on any error +trap "catchFinish" EXIT SIGINT + init() { unset CR_PATCH_YAML diff --git a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml index b7b35840e..840eb351d 100644 --- a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml @@ -92,7 +92,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 repository: https://github.com/eclipse-che/che-operator support: Eclipse Foundation - name: eclipse-che.v7.82.0-842.next + name: eclipse-che.v7.83.0-858.next namespace: placeholder spec: apiservicedefinitions: {} @@ -499,11 +499,17 @@ spec: clusterPermissions: - rules: - apiGroups: - - "" + - batch resources: - - nodes + - jobs verbs: + - create + - delete - get + - update + - patch + - watch + - list - apiGroups: - oauth.openshift.io resources: @@ -511,93 +517,61 @@ spec: verbs: - create - delete - - deletecollection - get - - list - - patch - update - - watch - - apiGroups: - - config.openshift.io - resources: - - oauths - verbs: - - get - - list - - watch - patch - - apiGroups: - - config.openshift.io - resources: - - infrastructures - - proxies - verbs: - - get - - list - watch - - apiGroups: - - user.openshift.io - resources: - - users - verbs: - list - - delete - apiGroups: - user.openshift.io resources: - groups verbs: - get - - apiGroups: - - user.openshift.io - resources: - - identities - verbs: - - delete - apiGroups: - console.openshift.io resources: - consolelinks verbs: - - get - - list - create + - delete + - get - update - patch - - delete + - watch + - list - apiGroups: - rbac.authorization.k8s.io resources: - - clusterrolebindings - - clusterroles - roles - rolebindings + - clusterroles + - clusterrolebindings verbs: - - list - create - - watch - - update + - delete - get + - update + - patch + - watch + - list + - apiGroups: + - authorization.openshift.io + resources: + - rolebindings + verbs: + - get + - create + - update - delete - apiGroups: - authorization.openshift.io resources: - roles - - rolebindings verbs: - get - create - update - - delete - - apiGroups: - - org.eclipse.che - resources: - - checlusters - - checlusters/status - - checlusters/finalizers - - checlusters/status - verbs: - - '*' - apiGroups: - project.openshift.io resources: @@ -625,64 +599,39 @@ spec: - create - update - watch - - apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - - get - apiGroups: - apps resources: - - secrets + - replicasets verbs: - - list - - apiGroups: - - "" - resources: - - secrets - verbs: - - list - get - - create - - update + - list - patch - delete - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - get - - list - - watch - - delete - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - create - - watch - - delete - apiGroups: - apps - - extensions resources: - deployments - - replicasets verbs: - - '*' + - list + - create + - watch + - update + - get + - patch + - delete - apiGroups: - route.openshift.io resources: - routes verbs: - - '*' + - create + - delete + - get + - update + - patch + - watch + - list - apiGroups: - route.openshift.io resources: @@ -696,49 +645,18 @@ spec: verbs: - list - watch - - apiGroups: - - apps - resources: - - replicasets - verbs: - - list - - get - - patch - - delete - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - '*' - apiGroups: - networking.k8s.io resources: - ingresses verbs: - - '*' - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - create + - delete + - get - update - - apiGroups: - - operators.coreos.com - resources: - - subscriptions - verbs: - - get - - apiGroups: - - operators.coreos.com - resources: - - clusterserviceversions - verbs: - - list - - get + - patch - watch + - list - apiGroups: - metrics.k8s.io resources: @@ -748,16 +666,6 @@ spec: - get - list - watch - - apiGroups: - - cert-manager.io - resources: - - issuers - - certificates - verbs: - - create - - get - - list - - update - apiGroups: - "" resources: @@ -768,33 +676,27 @@ spec: - serviceaccounts - services verbs: - - '*' - - apiGroups: - - apps - resourceNames: - - che-operator - resources: - - deployments/finalizers - verbs: + - create + - delete + - get - update + - patch + - watch + - list - apiGroups: - - batch + - org.eclipse.che resources: - - jobs + - checlusters + - checlusters/status + - checlusters/finalizers verbs: - create - delete - get - update + - patch - watch - list - - apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - create - - get - nonResourceURLs: - /metrics verbs: @@ -804,7 +706,11 @@ spec: resources: - kubernetesimagepullers verbs: - - '*' + - create + - delete + - get + - update + - list - apiGroups: - config.openshift.io resourceNames: @@ -813,6 +719,14 @@ spec: - consoles verbs: - get + - apiGroups: + - config.openshift.io + resourceNames: + - cluster + resources: + - proxies + verbs: + - get - apiGroups: - "" resources: @@ -829,32 +743,39 @@ spec: - get - list - create + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get - apiGroups: - workspace.devfile.io resources: - devworkspaces - devworkspacetemplates verbs: - - get - - list - - watch - create - delete - - patch + - get - update + - patch + - watch + - list - apiGroups: - controller.devfile.io resources: - devworkspaceroutings - devworkspaceoperatorconfigs verbs: - - get - - list - - watch - create - delete - - patch + - get - update + - patch + - watch + - list - apiGroups: - controller.devfile.io resources: @@ -897,6 +818,13 @@ spec: - limitranges verbs: - list + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create serviceAccountName: che-operator deployments: - name: che-operator @@ -1033,197 +961,30 @@ spec: terminationGracePeriodSeconds: 20 permissions: - rules: - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - '*' - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - '*' - - apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - update - - watch - - list - - apiGroups: - - route.openshift.io - resources: - - routes - - routes/custom-host - verbs: - - '*' - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings - verbs: - - list - - create - - watch - - update - - get - - delete - - apiGroups: - - "" - resources: - - pods - - services - - serviceaccounts - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - - pods/exec - - pods/log - verbs: - - '*' - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - apiGroups: - - apps - - extensions - resources: - - deployments - - replicasets - verbs: - - '*' - - apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create - - apiGroups: - - org.eclipse.che - resources: - - checlusters - - checlusters/status - - checlusters/finalizers - verbs: - - '*' - - apiGroups: - - metrics.k8s.io - resources: - - pods - - nodes - verbs: - - get - - list - - watch - - apiGroups: - - operators.coreos.com - resources: - - subscriptions - - clusterserviceversions - - operatorgroups - verbs: - - '*' - - apiGroups: - - packages.operators.coreos.com - resources: - - packagemanifests - verbs: - - get - - list - - apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - apiGroups: - - apps - resourceNames: - - che-operator - resources: - - deployments/finalizers - verbs: - - update - - apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings - verbs: - - '*' - - apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings/finalizers - verbs: - - update - - apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings/status - verbs: - - get - - patch - - update - - apiGroups: - - oauth.openshift.io - resources: - - oauthclients - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - apiGroups: - "" resources: - configmaps verbs: - - get - - list - - watch - create + - delete + - get - update - patch - - delete + - watch + - list - apiGroups: - coordination.k8s.io resources: - leases verbs: - - get - - list - - watch - create + - delete + - get - update - patch - - delete + - watch + - list - apiGroups: - "" resources: @@ -1251,7 +1012,7 @@ spec: - java links: - name: Product Page - url: http://www.eclipse.org/che + url: https://www.eclipse.org/che - name: Documentation url: https://www.eclipse.org/che/docs - name: Operator GitHub Repo @@ -1263,7 +1024,7 @@ spec: minKubeVersion: 1.19.0 provider: name: Eclipse Foundation - version: 7.82.0-842.next + version: 7.83.0-858.next webhookdefinitions: - admissionReviewVersions: - v1 diff --git a/config/manifests/bases/che-operator.clusterserviceversion.yaml b/config/manifests/bases/che-operator.clusterserviceversion.yaml index fd5cc017c..00bb87477 100644 --- a/config/manifests/bases/che-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/che-operator.clusterserviceversion.yaml @@ -447,7 +447,7 @@ spec: - java links: - name: Product Page - url: http://www.eclipse.org/che + url: https://www.eclipse.org/che - name: Documentation url: https://www.eclipse.org/che/docs - name: Operator GitHub Repo diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index ec9ef7489..000000000 --- a/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# -# Copyright (c) 2019-2023 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index a51cdbba4..000000000 --- a/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# -# Copyright (c) 2019-2023 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index a6ebebbfe..000000000 --- a/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# -# Copyright (c) 2019-2023 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: che-operator - namespace: system diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index 9d9df6b49..000000000 --- a/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# -# Copyright (c) 2019-2023 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -apiVersion: v1 -kind: Service -metadata: - labels: - app: che-operator - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - targetPort: https - selector: - app: che-operator diff --git a/config/rbac/checluster_editor_role.yaml b/config/rbac/checluster_editor_role.yaml deleted file mode 100644 index 9e9b07b5e..000000000 --- a/config/rbac/checluster_editor_role.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# -# Copyright (c) 2019-2023 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -# permissions for end users to edit checlusters. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: checluster-editor-role -rules: -- apiGroups: - - org.eclipse.che - resources: - - checlusters - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - org.eclipse.che - resources: - - checlusters/status - verbs: - - get diff --git a/config/rbac/checluster_viewer_role.yaml b/config/rbac/checluster_viewer_role.yaml deleted file mode 100644 index 2ea632ce1..000000000 --- a/config/rbac/checluster_viewer_role.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# -# Copyright (c) 2019-2023 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -# permissions for end users to view checlusters. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: checluster-viewer-role -rules: -- apiGroups: - - org.eclipse.che - resources: - - checlusters - verbs: - - get - - list - - watch -- apiGroups: - - org.eclipse.che - resources: - - checlusters/status - verbs: - - get diff --git a/config/rbac/cluster_role.yaml b/config/rbac/cluster_role.yaml index 52f8cc32e..a0ba01916 100644 --- a/config/rbac/cluster_role.yaml +++ b/config/rbac/cluster_role.yaml @@ -21,11 +21,17 @@ metadata: app.kubernetes.io/component: che-operator rules: - apiGroups: - - "" + - batch resources: - - nodes + - jobs verbs: + - create + - delete - get + - update + - patch + - watch + - list - apiGroups: - oauth.openshift.io resources: @@ -33,93 +39,61 @@ rules: verbs: - create - delete - - deletecollection - get - - list - - patch - update - - watch - - apiGroups: - - config.openshift.io - resources: - - oauths - verbs: - - get - - list - - watch - patch - - apiGroups: - - config.openshift.io - resources: - - infrastructures - - proxies - verbs: - - get - - list - watch - - apiGroups: - - user.openshift.io - resources: - - users - verbs: - list - - delete - apiGroups: - user.openshift.io resources: - groups verbs: - get - - apiGroups: - - user.openshift.io - resources: - - identities - verbs: - - delete - apiGroups: - console.openshift.io resources: - consolelinks verbs: - - get - - list - create + - delete + - get - update - patch - - delete + - watch + - list - apiGroups: - rbac.authorization.k8s.io resources: - - clusterrolebindings - - clusterroles - roles - rolebindings + - clusterroles + - clusterrolebindings verbs: - - list - create - - watch - - update + - delete - get + - update + - patch + - watch + - list + - apiGroups: + - authorization.openshift.io + resources: + - rolebindings + verbs: + - get + - create + - update - delete - apiGroups: - authorization.openshift.io resources: - roles - - rolebindings verbs: - get - create - update - - delete - - apiGroups: - - org.eclipse.che - resources: - - checlusters - - checlusters/status - - checlusters/finalizers - - checlusters/status - verbs: - - '*' - apiGroups: - project.openshift.io resources: @@ -147,64 +121,39 @@ rules: - create - update - watch - - apiGroups: - - '' - resources: - - pods/exec - verbs: - - create - - get - apiGroups: - apps resources: - - secrets + - replicasets verbs: - - list - - apiGroups: - - '' - resources: - - secrets - verbs: - - list - get - - create - - update + - list - patch - delete - - apiGroups: - - '' - resources: - - persistentvolumeclaims - verbs: - - create - - get - - list - - watch - - delete - - apiGroups: - - '' - resources: - - pods - verbs: - - get - - list - - create - - watch - - delete - apiGroups: - apps - - extensions resources: - deployments - - replicasets verbs: - - '*' + - list + - create + - watch + - update + - get + - patch + - delete - apiGroups: - route.openshift.io resources: - routes verbs: - - '*' + - create + - delete + - get + - update + - patch + - watch + - list - apiGroups: - route.openshift.io resources: @@ -218,49 +167,18 @@ rules: verbs: - list - watch - - apiGroups: - - apps - resources: - - replicasets - verbs: - - list - - get - - patch - - delete - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - '*' - apiGroups: - networking.k8s.io resources: - ingresses verbs: - - '*' - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - create + - delete + - get - update - - apiGroups: - - operators.coreos.com - resources: - - subscriptions - verbs: - - get - - apiGroups: - - operators.coreos.com - resources: - - clusterserviceversions - verbs: - - list - - get + - patch - watch + - list - apiGroups: - metrics.k8s.io resources: @@ -270,16 +188,6 @@ rules: - get - list - watch - - apiGroups: - - cert-manager.io - resources: - - issuers - - certificates - verbs: - - create - - get - - list - - update - apiGroups: - '' resources: @@ -290,33 +198,27 @@ rules: - serviceaccounts - services verbs: - - '*' - - apiGroups: - - apps - resourceNames: - - che-operator - resources: - - deployments/finalizers - verbs: + - create + - delete + - get - update + - patch + - watch + - list - apiGroups: - - batch + - org.eclipse.che resources: - - jobs + - checlusters + - checlusters/status + - checlusters/finalizers verbs: - create - delete - get - update + - patch - watch - list - - apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - create - - get - nonResourceURLs: - /metrics verbs: @@ -326,7 +228,11 @@ rules: resources: - kubernetesimagepullers verbs: - - '*' + - create + - delete + - get + - update + - list - apiGroups: - config.openshift.io resources: @@ -335,6 +241,14 @@ rules: - cluster verbs: - get + - apiGroups: + - config.openshift.io + resources: + - proxies + resourceNames: + - cluster + verbs: + - get - apiGroups: - '' resources: @@ -351,32 +265,39 @@ rules: - get - list - create + - apiGroups: + - '' + resources: + - pods/exec + verbs: + - create + - get - apiGroups: - workspace.devfile.io resources: - devworkspaces - devworkspacetemplates verbs: - - get - - list - - watch - create - delete - - patch + - get - update + - patch + - watch + - list - apiGroups: - - controller.devfile.io + - controller.devfile.io resources: - devworkspaceroutings - devworkspaceoperatorconfigs verbs: - - get - - list - - watch - create - delete - - patch + - get - update + - patch + - watch + - list - apiGroups: - controller.devfile.io resources: @@ -418,4 +339,11 @@ rules: resources: - limitranges verbs: - - list \ No newline at end of file + - list + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create \ No newline at end of file diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 7a079ad21..d27ba9c76 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -21,5 +21,3 @@ resources: - role_binding.yaml - cluster_role.yaml - cluster_rolebinding.yaml -- leader_election_role.yaml -- leader_election_role_binding.yaml diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml deleted file mode 100644 index 0ed7cda10..000000000 --- a/config/rbac/leader_election_role.yaml +++ /dev/null @@ -1,56 +0,0 @@ -# -# Copyright (c) 2019-2023 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -# permissions to do leader election. - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: che-operator-leader-election - namespace: eclipse-che - labels: - app.kubernetes.io/name: che - app.kubernetes.io/instance: che - app.kubernetes.io/part-of: che.eclipse.org - app.kubernetes.io/component: che-operator -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml deleted file mode 100644 index 137a5b58e..000000000 --- a/config/rbac/leader_election_role_binding.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# -# Copyright (c) 2019-2023 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: che-operator-leader-election - namespace: eclipse-che - labels: - app.kubernetes.io/name: che - app.kubernetes.io/instance: che - app.kubernetes.io/part-of: che.eclipse.org - app.kubernetes.io/component: che-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: che-operator-leader-election -subjects: -- kind: ServiceAccount - name: che-operator diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index b5941129f..693c2fa97 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -21,170 +21,34 @@ metadata: app.kubernetes.io/part-of: che.eclipse.org app.kubernetes.io/name: che rules: -- apiGroups: - - extensions - resources: - - ingresses - verbs: - - '*' -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - '*' -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - update - - watch - - list -- apiGroups: - - route.openshift.io - resources: - - routes - - routes/custom-host - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings - verbs: - - list - - create - - watch - - update - - get - - delete -- apiGroups: - - "" - resources: - - pods - - services - - serviceaccounts - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - - pods/exec - - pods/log - verbs: - - '*' -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - apps - - extensions - resources: - - deployments - - replicasets - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create -- apiGroups: - - org.eclipse.che - resources: - - checlusters - - checlusters/status - - checlusters/finalizers - verbs: - - '*' -- apiGroups: - - metrics.k8s.io - resources: - - pods - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - operators.coreos.com - resources: - - subscriptions - - clusterserviceversions - - operatorgroups - verbs: - - '*' -- apiGroups: - - packages.operators.coreos.com - resources: - - packagemanifests - verbs: - - get - - list -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create -- apiGroups: - - apps - resourceNames: - - che-operator - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings - verbs: - - '*' -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings/finalizers - verbs: - - update -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings/status - verbs: - - get - - patch - - update -- apiGroups: - - oauth.openshift.io - resources: - - oauthclients - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - update + - patch + - watch + - list + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - update + - patch + - watch + - list + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch \ No newline at end of file diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 2f3840226..88a14a81a 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -25,5 +25,5 @@ roleRef: kind: Role name: che-operator subjects: -- kind: ServiceAccount - name: che-operator + - kind: ServiceAccount + name: che-operator diff --git a/controllers/usernamespace/namespacecache_test.go b/controllers/usernamespace/namespacecache_test.go index 4722cb512..41d300ea7 100644 --- a/controllers/usernamespace/namespacecache_test.go +++ b/controllers/usernamespace/namespacecache_test.go @@ -26,7 +26,6 @@ import ( routev1 "github.com/openshift/api/route/v1" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - extensions "k8s.io/api/extensions/v1beta1" networkingv1 "k8s.io/api/networking/v1" "k8s.io/api/node/v1alpha1" rbac "k8s.io/api/rbac/v1" @@ -42,7 +41,6 @@ import ( func createTestScheme() *runtime.Scheme { scheme := runtime.NewScheme() utilruntime.Must(v1alpha1.AddToScheme(scheme)) - utilruntime.Must(extensions.AddToScheme(scheme)) utilruntime.Must(corev1.AddToScheme(scheme)) utilruntime.Must(appsv1.AddToScheme(scheme)) utilruntime.Must(rbac.AddToScheme(scheme)) diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml index 524be8bca..3c66ad390 100644 --- a/deploy/deployment/kubernetes/combined.yaml +++ b/deploy/deployment/kubernetes/combined.yaml @@ -8201,209 +8201,30 @@ metadata: name: che-operator namespace: eclipse-che rules: -- apiGroups: - - extensions - resources: - - ingresses - verbs: - - '*' -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - '*' -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - update - - watch - - list -- apiGroups: - - route.openshift.io - resources: - - routes - - routes/custom-host - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings - verbs: - - list - - create - - watch - - update - - get - - delete -- apiGroups: - - "" - resources: - - pods - - services - - serviceaccounts - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - - pods/exec - - pods/log - verbs: - - '*' -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - apps - - extensions - resources: - - deployments - - replicasets - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create -- apiGroups: - - org.eclipse.che - resources: - - checlusters - - checlusters/status - - checlusters/finalizers - verbs: - - '*' -- apiGroups: - - metrics.k8s.io - resources: - - pods - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - operators.coreos.com - resources: - - subscriptions - - clusterserviceversions - - operatorgroups - verbs: - - '*' -- apiGroups: - - packages.operators.coreos.com - resources: - - packagemanifests - verbs: - - get - - list -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create -- apiGroups: - - apps - resourceNames: - - che-operator - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings - verbs: - - '*' -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings/finalizers - verbs: - - update -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings/status - verbs: - - get - - patch - - update -- apiGroups: - - oauth.openshift.io - resources: - - oauthclients - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: che-operator - app.kubernetes.io/instance: che - app.kubernetes.io/name: che - app.kubernetes.io/part-of: che.eclipse.org - name: che-operator-leader-election - namespace: eclipse-che -rules: - apiGroups: - "" resources: - configmaps verbs: - - get - - list - - watch - create + - delete + - get - update - patch - - delete + - watch + - list - apiGroups: - coordination.k8s.io resources: - leases verbs: - - get - - list - - watch - create + - delete + - get - update - patch - - delete + - watch + - list - apiGroups: - "" resources: @@ -8423,11 +8244,17 @@ metadata: name: che-operator rules: - apiGroups: - - "" + - batch resources: - - nodes + - jobs verbs: + - create + - delete - get + - update + - patch + - watch + - list - apiGroups: - oauth.openshift.io resources: @@ -8435,93 +8262,61 @@ rules: verbs: - create - delete - - deletecollection - get - - list - - patch - update - - watch -- apiGroups: - - config.openshift.io - resources: - - oauths - verbs: - - get - - list - - watch - patch -- apiGroups: - - config.openshift.io - resources: - - infrastructures - - proxies - verbs: - - get - - list - watch -- apiGroups: - - user.openshift.io - resources: - - users - verbs: - list - - delete - apiGroups: - user.openshift.io resources: - groups verbs: - get -- apiGroups: - - user.openshift.io - resources: - - identities - verbs: - - delete - apiGroups: - console.openshift.io resources: - consolelinks verbs: - - get - - list - create + - delete + - get - update - patch - - delete + - watch + - list - apiGroups: - rbac.authorization.k8s.io resources: - - clusterrolebindings - - clusterroles - roles - rolebindings + - clusterroles + - clusterrolebindings verbs: - - list - create - - watch - - update + - delete - get + - update + - patch + - watch + - list +- apiGroups: + - authorization.openshift.io + resources: + - rolebindings + verbs: + - get + - create + - update - delete - apiGroups: - authorization.openshift.io resources: - roles - - rolebindings verbs: - get - create - update - - delete -- apiGroups: - - org.eclipse.che - resources: - - checlusters - - checlusters/status - - checlusters/finalizers - - checlusters/status - verbs: - - '*' - apiGroups: - project.openshift.io resources: @@ -8549,64 +8344,39 @@ rules: - create - update - watch -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - - get - apiGroups: - apps resources: - - secrets + - replicasets verbs: - - list -- apiGroups: - - "" - resources: - - secrets - verbs: - - list - get - - create - - update + - list - patch - delete -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - get - - list - - watch - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - create - - watch - - delete - apiGroups: - apps - - extensions resources: - deployments - - replicasets verbs: - - '*' + - list + - create + - watch + - update + - get + - patch + - delete - apiGroups: - route.openshift.io resources: - routes verbs: - - '*' + - create + - delete + - get + - update + - patch + - watch + - list - apiGroups: - route.openshift.io resources: @@ -8620,49 +8390,18 @@ rules: verbs: - list - watch -- apiGroups: - - apps - resources: - - replicasets - verbs: - - list - - get - - patch - - delete -- apiGroups: - - extensions - resources: - - ingresses - verbs: - - '*' - apiGroups: - networking.k8s.io resources: - ingresses verbs: - - '*' -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - create + - delete + - get - update -- apiGroups: - - operators.coreos.com - resources: - - subscriptions - verbs: - - get -- apiGroups: - - operators.coreos.com - resources: - - clusterserviceversions - verbs: - - list - - get + - patch - watch + - list - apiGroups: - metrics.k8s.io resources: @@ -8672,16 +8411,6 @@ rules: - get - list - watch -- apiGroups: - - cert-manager.io - resources: - - issuers - - certificates - verbs: - - create - - get - - list - - update - apiGroups: - "" resources: @@ -8692,33 +8421,27 @@ rules: - serviceaccounts - services verbs: - - '*' -- apiGroups: - - apps - resourceNames: - - che-operator - resources: - - deployments/finalizers - verbs: + - create + - delete + - get - update + - patch + - watch + - list - apiGroups: - - batch + - org.eclipse.che resources: - - jobs + - checlusters + - checlusters/status + - checlusters/finalizers verbs: - create - delete - get - update + - patch - watch - list -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - create - - get - nonResourceURLs: - /metrics verbs: @@ -8728,7 +8451,11 @@ rules: resources: - kubernetesimagepullers verbs: - - '*' + - create + - delete + - get + - update + - list - apiGroups: - config.openshift.io resourceNames: @@ -8737,6 +8464,14 @@ rules: - consoles verbs: - get +- apiGroups: + - config.openshift.io + resourceNames: + - cluster + resources: + - proxies + verbs: + - get - apiGroups: - "" resources: @@ -8753,32 +8488,39 @@ rules: - get - list - create +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get - apiGroups: - workspace.devfile.io resources: - devworkspaces - devworkspacetemplates verbs: - - get - - list - - watch - create - delete - - patch + - get - update + - patch + - watch + - list - apiGroups: - controller.devfile.io resources: - devworkspaceroutings - devworkspaceoperatorconfigs verbs: - - get - - list - - watch - create - delete - - patch + - get - update + - patch + - watch + - list - apiGroups: - controller.devfile.io resources: @@ -8821,6 +8563,13 @@ rules: - limitranges verbs: - list +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8841,24 +8590,6 @@ subjects: name: che-operator --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: che-operator - app.kubernetes.io/instance: che - app.kubernetes.io/name: che - app.kubernetes.io/part-of: che.eclipse.org - name: che-operator-leader-election - namespace: eclipse-che -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: che-operator-leader-election -subjects: -- kind: ServiceAccount - name: che-operator ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: diff --git a/deploy/deployment/kubernetes/objects/che-operator-leader-election.Role.yaml b/deploy/deployment/kubernetes/objects/che-operator-leader-election.Role.yaml deleted file mode 100644 index 60c047f84..000000000 --- a/deploy/deployment/kubernetes/objects/che-operator-leader-election.Role.yaml +++ /dev/null @@ -1,54 +0,0 @@ -# -# Copyright (c) 2019-2023 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: che-operator - app.kubernetes.io/instance: che - app.kubernetes.io/name: che - app.kubernetes.io/part-of: che.eclipse.org - name: che-operator-leader-election - namespace: eclipse-che -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch diff --git a/deploy/deployment/kubernetes/objects/che-operator-leader-election.RoleBinding.yaml b/deploy/deployment/kubernetes/objects/che-operator-leader-election.RoleBinding.yaml deleted file mode 100644 index b79874d66..000000000 --- a/deploy/deployment/kubernetes/objects/che-operator-leader-election.RoleBinding.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# -# Copyright (c) 2019-2023 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: che-operator - app.kubernetes.io/instance: che - app.kubernetes.io/name: che - app.kubernetes.io/part-of: che.eclipse.org - name: che-operator-leader-election - namespace: eclipse-che -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: che-operator-leader-election -subjects: -- kind: ServiceAccount - name: che-operator diff --git a/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml b/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml index a504afcd1..3b506c07d 100644 --- a/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml +++ b/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml @@ -21,11 +21,17 @@ metadata: name: che-operator rules: - apiGroups: - - "" + - batch resources: - - nodes + - jobs verbs: + - create + - delete - get + - update + - patch + - watch + - list - apiGroups: - oauth.openshift.io resources: @@ -33,93 +39,61 @@ rules: verbs: - create - delete - - deletecollection - get - - list - - patch - update - - watch -- apiGroups: - - config.openshift.io - resources: - - oauths - verbs: - - get - - list - - watch - patch -- apiGroups: - - config.openshift.io - resources: - - infrastructures - - proxies - verbs: - - get - - list - watch -- apiGroups: - - user.openshift.io - resources: - - users - verbs: - list - - delete - apiGroups: - user.openshift.io resources: - groups verbs: - get -- apiGroups: - - user.openshift.io - resources: - - identities - verbs: - - delete - apiGroups: - console.openshift.io resources: - consolelinks verbs: - - get - - list - create + - delete + - get - update - patch - - delete + - watch + - list - apiGroups: - rbac.authorization.k8s.io resources: - - clusterrolebindings - - clusterroles - roles - rolebindings + - clusterroles + - clusterrolebindings verbs: - - list - create - - watch - - update + - delete - get + - update + - patch + - watch + - list +- apiGroups: + - authorization.openshift.io + resources: + - rolebindings + verbs: + - get + - create + - update - delete - apiGroups: - authorization.openshift.io resources: - roles - - rolebindings verbs: - get - create - update - - delete -- apiGroups: - - org.eclipse.che - resources: - - checlusters - - checlusters/status - - checlusters/finalizers - - checlusters/status - verbs: - - '*' - apiGroups: - project.openshift.io resources: @@ -147,64 +121,39 @@ rules: - create - update - watch -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - - get - apiGroups: - apps resources: - - secrets + - replicasets verbs: - - list -- apiGroups: - - "" - resources: - - secrets - verbs: - - list - get - - create - - update + - list - patch - delete -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - get - - list - - watch - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - create - - watch - - delete - apiGroups: - apps - - extensions resources: - deployments - - replicasets verbs: - - '*' + - list + - create + - watch + - update + - get + - patch + - delete - apiGroups: - route.openshift.io resources: - routes verbs: - - '*' + - create + - delete + - get + - update + - patch + - watch + - list - apiGroups: - route.openshift.io resources: @@ -218,49 +167,18 @@ rules: verbs: - list - watch -- apiGroups: - - apps - resources: - - replicasets - verbs: - - list - - get - - patch - - delete -- apiGroups: - - extensions - resources: - - ingresses - verbs: - - '*' - apiGroups: - networking.k8s.io resources: - ingresses verbs: - - '*' -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - create + - delete + - get - update -- apiGroups: - - operators.coreos.com - resources: - - subscriptions - verbs: - - get -- apiGroups: - - operators.coreos.com - resources: - - clusterserviceversions - verbs: - - list - - get + - patch - watch + - list - apiGroups: - metrics.k8s.io resources: @@ -270,16 +188,6 @@ rules: - get - list - watch -- apiGroups: - - cert-manager.io - resources: - - issuers - - certificates - verbs: - - create - - get - - list - - update - apiGroups: - "" resources: @@ -290,33 +198,27 @@ rules: - serviceaccounts - services verbs: - - '*' -- apiGroups: - - apps - resourceNames: - - che-operator - resources: - - deployments/finalizers - verbs: + - create + - delete + - get - update + - patch + - watch + - list - apiGroups: - - batch + - org.eclipse.che resources: - - jobs + - checlusters + - checlusters/status + - checlusters/finalizers verbs: - create - delete - get - update + - patch - watch - list -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - create - - get - nonResourceURLs: - /metrics verbs: @@ -326,7 +228,11 @@ rules: resources: - kubernetesimagepullers verbs: - - '*' + - create + - delete + - get + - update + - list - apiGroups: - config.openshift.io resourceNames: @@ -335,6 +241,14 @@ rules: - consoles verbs: - get +- apiGroups: + - config.openshift.io + resourceNames: + - cluster + resources: + - proxies + verbs: + - get - apiGroups: - "" resources: @@ -351,32 +265,39 @@ rules: - get - list - create +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get - apiGroups: - workspace.devfile.io resources: - devworkspaces - devworkspacetemplates verbs: - - get - - list - - watch - create - delete - - patch + - get - update + - patch + - watch + - list - apiGroups: - controller.devfile.io resources: - devworkspaceroutings - devworkspaceoperatorconfigs verbs: - - get - - list - - watch - create - delete - - patch + - get - update + - patch + - watch + - list - apiGroups: - controller.devfile.io resources: @@ -419,3 +340,10 @@ rules: - limitranges verbs: - list +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create diff --git a/deploy/deployment/kubernetes/objects/che-operator.Role.yaml b/deploy/deployment/kubernetes/objects/che-operator.Role.yaml index 382caee63..43625be99 100644 --- a/deploy/deployment/kubernetes/objects/che-operator.Role.yaml +++ b/deploy/deployment/kubernetes/objects/che-operator.Role.yaml @@ -21,170 +21,34 @@ metadata: name: che-operator namespace: eclipse-che rules: -- apiGroups: - - extensions - resources: - - ingresses - verbs: - - '*' -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - '*' -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - update - - watch - - list -- apiGroups: - - route.openshift.io - resources: - - routes - - routes/custom-host - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings - verbs: - - list - - create - - watch - - update - - get - - delete - apiGroups: - "" resources: - - pods - - services - - serviceaccounts - - endpoints - - persistentvolumeclaims - - events - configmaps - - secrets - - pods/exec - - pods/log verbs: - - '*' -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - apps - - extensions - resources: - - deployments - - replicasets - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - create -- apiGroups: - - org.eclipse.che - resources: - - checlusters - - checlusters/status - - checlusters/finalizers - verbs: - - '*' -- apiGroups: - - metrics.k8s.io - resources: - - pods - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - operators.coreos.com - resources: - - subscriptions - - clusterserviceversions - - operatorgroups - verbs: - - '*' -- apiGroups: - - packages.operators.coreos.com - resources: - - packagemanifests - verbs: - - get - - list -- apiGroups: - - "" - resources: - - configmaps/status - verbs: + - delete - get - update - patch + - watch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - update + - patch + - watch + - list - apiGroups: - "" resources: - events verbs: - create -- apiGroups: - - apps - resourceNames: - - che-operator - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings - verbs: - - '*' -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings/finalizers - verbs: - - update -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings/status - verbs: - - get - patch - - update -- apiGroups: - - oauth.openshift.io - resources: - - oauthclients - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch diff --git a/deploy/deployment/openshift/combined.yaml b/deploy/deployment/openshift/combined.yaml index bc5c3d461..3e3745168 100644 --- a/deploy/deployment/openshift/combined.yaml +++ b/deploy/deployment/openshift/combined.yaml @@ -8201,209 +8201,30 @@ metadata: name: che-operator namespace: eclipse-che rules: -- apiGroups: - - extensions - resources: - - ingresses - verbs: - - '*' -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - '*' -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - update - - watch - - list -- apiGroups: - - route.openshift.io - resources: - - routes - - routes/custom-host - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings - verbs: - - list - - create - - watch - - update - - get - - delete -- apiGroups: - - "" - resources: - - pods - - services - - serviceaccounts - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - - pods/exec - - pods/log - verbs: - - '*' -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - apps - - extensions - resources: - - deployments - - replicasets - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create -- apiGroups: - - org.eclipse.che - resources: - - checlusters - - checlusters/status - - checlusters/finalizers - verbs: - - '*' -- apiGroups: - - metrics.k8s.io - resources: - - pods - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - operators.coreos.com - resources: - - subscriptions - - clusterserviceversions - - operatorgroups - verbs: - - '*' -- apiGroups: - - packages.operators.coreos.com - resources: - - packagemanifests - verbs: - - get - - list -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create -- apiGroups: - - apps - resourceNames: - - che-operator - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings - verbs: - - '*' -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings/finalizers - verbs: - - update -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings/status - verbs: - - get - - patch - - update -- apiGroups: - - oauth.openshift.io - resources: - - oauthclients - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: che-operator - app.kubernetes.io/instance: che - app.kubernetes.io/name: che - app.kubernetes.io/part-of: che.eclipse.org - name: che-operator-leader-election - namespace: eclipse-che -rules: - apiGroups: - "" resources: - configmaps verbs: - - get - - list - - watch - create + - delete + - get - update - patch - - delete + - watch + - list - apiGroups: - coordination.k8s.io resources: - leases verbs: - - get - - list - - watch - create + - delete + - get - update - patch - - delete + - watch + - list - apiGroups: - "" resources: @@ -8423,11 +8244,17 @@ metadata: name: che-operator rules: - apiGroups: - - "" + - batch resources: - - nodes + - jobs verbs: + - create + - delete - get + - update + - patch + - watch + - list - apiGroups: - oauth.openshift.io resources: @@ -8435,93 +8262,61 @@ rules: verbs: - create - delete - - deletecollection - get - - list - - patch - update - - watch -- apiGroups: - - config.openshift.io - resources: - - oauths - verbs: - - get - - list - - watch - patch -- apiGroups: - - config.openshift.io - resources: - - infrastructures - - proxies - verbs: - - get - - list - watch -- apiGroups: - - user.openshift.io - resources: - - users - verbs: - list - - delete - apiGroups: - user.openshift.io resources: - groups verbs: - get -- apiGroups: - - user.openshift.io - resources: - - identities - verbs: - - delete - apiGroups: - console.openshift.io resources: - consolelinks verbs: - - get - - list - create + - delete + - get - update - patch - - delete + - watch + - list - apiGroups: - rbac.authorization.k8s.io resources: - - clusterrolebindings - - clusterroles - roles - rolebindings + - clusterroles + - clusterrolebindings verbs: - - list - create - - watch - - update + - delete - get + - update + - patch + - watch + - list +- apiGroups: + - authorization.openshift.io + resources: + - rolebindings + verbs: + - get + - create + - update - delete - apiGroups: - authorization.openshift.io resources: - roles - - rolebindings verbs: - get - create - update - - delete -- apiGroups: - - org.eclipse.che - resources: - - checlusters - - checlusters/status - - checlusters/finalizers - - checlusters/status - verbs: - - '*' - apiGroups: - project.openshift.io resources: @@ -8549,64 +8344,39 @@ rules: - create - update - watch -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - - get - apiGroups: - apps resources: - - secrets + - replicasets verbs: - - list -- apiGroups: - - "" - resources: - - secrets - verbs: - - list - get - - create - - update + - list - patch - delete -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - get - - list - - watch - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - create - - watch - - delete - apiGroups: - apps - - extensions resources: - deployments - - replicasets verbs: - - '*' + - list + - create + - watch + - update + - get + - patch + - delete - apiGroups: - route.openshift.io resources: - routes verbs: - - '*' + - create + - delete + - get + - update + - patch + - watch + - list - apiGroups: - route.openshift.io resources: @@ -8620,49 +8390,18 @@ rules: verbs: - list - watch -- apiGroups: - - apps - resources: - - replicasets - verbs: - - list - - get - - patch - - delete -- apiGroups: - - extensions - resources: - - ingresses - verbs: - - '*' - apiGroups: - networking.k8s.io resources: - ingresses verbs: - - '*' -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - create + - delete + - get - update -- apiGroups: - - operators.coreos.com - resources: - - subscriptions - verbs: - - get -- apiGroups: - - operators.coreos.com - resources: - - clusterserviceversions - verbs: - - list - - get + - patch - watch + - list - apiGroups: - metrics.k8s.io resources: @@ -8672,16 +8411,6 @@ rules: - get - list - watch -- apiGroups: - - cert-manager.io - resources: - - issuers - - certificates - verbs: - - create - - get - - list - - update - apiGroups: - "" resources: @@ -8692,33 +8421,27 @@ rules: - serviceaccounts - services verbs: - - '*' -- apiGroups: - - apps - resourceNames: - - che-operator - resources: - - deployments/finalizers - verbs: + - create + - delete + - get - update + - patch + - watch + - list - apiGroups: - - batch + - org.eclipse.che resources: - - jobs + - checlusters + - checlusters/status + - checlusters/finalizers verbs: - create - delete - get - update + - patch - watch - list -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - create - - get - nonResourceURLs: - /metrics verbs: @@ -8728,7 +8451,11 @@ rules: resources: - kubernetesimagepullers verbs: - - '*' + - create + - delete + - get + - update + - list - apiGroups: - config.openshift.io resourceNames: @@ -8737,6 +8464,14 @@ rules: - consoles verbs: - get +- apiGroups: + - config.openshift.io + resourceNames: + - cluster + resources: + - proxies + verbs: + - get - apiGroups: - "" resources: @@ -8753,32 +8488,39 @@ rules: - get - list - create +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get - apiGroups: - workspace.devfile.io resources: - devworkspaces - devworkspacetemplates verbs: - - get - - list - - watch - create - delete - - patch + - get - update + - patch + - watch + - list - apiGroups: - controller.devfile.io resources: - devworkspaceroutings - devworkspaceoperatorconfigs verbs: - - get - - list - - watch - create - delete - - patch + - get - update + - patch + - watch + - list - apiGroups: - controller.devfile.io resources: @@ -8821,6 +8563,13 @@ rules: - limitranges verbs: - list +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -8841,24 +8590,6 @@ subjects: name: che-operator --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: che-operator - app.kubernetes.io/instance: che - app.kubernetes.io/name: che - app.kubernetes.io/part-of: che.eclipse.org - name: che-operator-leader-election - namespace: eclipse-che -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: che-operator-leader-election -subjects: -- kind: ServiceAccount - name: che-operator ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: diff --git a/deploy/deployment/openshift/objects/che-operator-leader-election.Role.yaml b/deploy/deployment/openshift/objects/che-operator-leader-election.Role.yaml deleted file mode 100644 index 60c047f84..000000000 --- a/deploy/deployment/openshift/objects/che-operator-leader-election.Role.yaml +++ /dev/null @@ -1,54 +0,0 @@ -# -# Copyright (c) 2019-2023 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: che-operator - app.kubernetes.io/instance: che - app.kubernetes.io/name: che - app.kubernetes.io/part-of: che.eclipse.org - name: che-operator-leader-election - namespace: eclipse-che -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch diff --git a/deploy/deployment/openshift/objects/che-operator-leader-election.RoleBinding.yaml b/deploy/deployment/openshift/objects/che-operator-leader-election.RoleBinding.yaml deleted file mode 100644 index b79874d66..000000000 --- a/deploy/deployment/openshift/objects/che-operator-leader-election.RoleBinding.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# -# Copyright (c) 2019-2023 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: che-operator - app.kubernetes.io/instance: che - app.kubernetes.io/name: che - app.kubernetes.io/part-of: che.eclipse.org - name: che-operator-leader-election - namespace: eclipse-che -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: che-operator-leader-election -subjects: -- kind: ServiceAccount - name: che-operator diff --git a/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml b/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml index a504afcd1..3b506c07d 100644 --- a/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml +++ b/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml @@ -21,11 +21,17 @@ metadata: name: che-operator rules: - apiGroups: - - "" + - batch resources: - - nodes + - jobs verbs: + - create + - delete - get + - update + - patch + - watch + - list - apiGroups: - oauth.openshift.io resources: @@ -33,93 +39,61 @@ rules: verbs: - create - delete - - deletecollection - get - - list - - patch - update - - watch -- apiGroups: - - config.openshift.io - resources: - - oauths - verbs: - - get - - list - - watch - patch -- apiGroups: - - config.openshift.io - resources: - - infrastructures - - proxies - verbs: - - get - - list - watch -- apiGroups: - - user.openshift.io - resources: - - users - verbs: - list - - delete - apiGroups: - user.openshift.io resources: - groups verbs: - get -- apiGroups: - - user.openshift.io - resources: - - identities - verbs: - - delete - apiGroups: - console.openshift.io resources: - consolelinks verbs: - - get - - list - create + - delete + - get - update - patch - - delete + - watch + - list - apiGroups: - rbac.authorization.k8s.io resources: - - clusterrolebindings - - clusterroles - roles - rolebindings + - clusterroles + - clusterrolebindings verbs: - - list - create - - watch - - update + - delete - get + - update + - patch + - watch + - list +- apiGroups: + - authorization.openshift.io + resources: + - rolebindings + verbs: + - get + - create + - update - delete - apiGroups: - authorization.openshift.io resources: - roles - - rolebindings verbs: - get - create - update - - delete -- apiGroups: - - org.eclipse.che - resources: - - checlusters - - checlusters/status - - checlusters/finalizers - - checlusters/status - verbs: - - '*' - apiGroups: - project.openshift.io resources: @@ -147,64 +121,39 @@ rules: - create - update - watch -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - - get - apiGroups: - apps resources: - - secrets + - replicasets verbs: - - list -- apiGroups: - - "" - resources: - - secrets - verbs: - - list - get - - create - - update + - list - patch - delete -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - get - - list - - watch - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - create - - watch - - delete - apiGroups: - apps - - extensions resources: - deployments - - replicasets verbs: - - '*' + - list + - create + - watch + - update + - get + - patch + - delete - apiGroups: - route.openshift.io resources: - routes verbs: - - '*' + - create + - delete + - get + - update + - patch + - watch + - list - apiGroups: - route.openshift.io resources: @@ -218,49 +167,18 @@ rules: verbs: - list - watch -- apiGroups: - - apps - resources: - - replicasets - verbs: - - list - - get - - patch - - delete -- apiGroups: - - extensions - resources: - - ingresses - verbs: - - '*' - apiGroups: - networking.k8s.io resources: - ingresses verbs: - - '*' -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - create + - delete + - get - update -- apiGroups: - - operators.coreos.com - resources: - - subscriptions - verbs: - - get -- apiGroups: - - operators.coreos.com - resources: - - clusterserviceversions - verbs: - - list - - get + - patch - watch + - list - apiGroups: - metrics.k8s.io resources: @@ -270,16 +188,6 @@ rules: - get - list - watch -- apiGroups: - - cert-manager.io - resources: - - issuers - - certificates - verbs: - - create - - get - - list - - update - apiGroups: - "" resources: @@ -290,33 +198,27 @@ rules: - serviceaccounts - services verbs: - - '*' -- apiGroups: - - apps - resourceNames: - - che-operator - resources: - - deployments/finalizers - verbs: + - create + - delete + - get - update + - patch + - watch + - list - apiGroups: - - batch + - org.eclipse.che resources: - - jobs + - checlusters + - checlusters/status + - checlusters/finalizers verbs: - create - delete - get - update + - patch - watch - list -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - create - - get - nonResourceURLs: - /metrics verbs: @@ -326,7 +228,11 @@ rules: resources: - kubernetesimagepullers verbs: - - '*' + - create + - delete + - get + - update + - list - apiGroups: - config.openshift.io resourceNames: @@ -335,6 +241,14 @@ rules: - consoles verbs: - get +- apiGroups: + - config.openshift.io + resourceNames: + - cluster + resources: + - proxies + verbs: + - get - apiGroups: - "" resources: @@ -351,32 +265,39 @@ rules: - get - list - create +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get - apiGroups: - workspace.devfile.io resources: - devworkspaces - devworkspacetemplates verbs: - - get - - list - - watch - create - delete - - patch + - get - update + - patch + - watch + - list - apiGroups: - controller.devfile.io resources: - devworkspaceroutings - devworkspaceoperatorconfigs verbs: - - get - - list - - watch - create - delete - - patch + - get - update + - patch + - watch + - list - apiGroups: - controller.devfile.io resources: @@ -419,3 +340,10 @@ rules: - limitranges verbs: - list +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create diff --git a/deploy/deployment/openshift/objects/che-operator.Role.yaml b/deploy/deployment/openshift/objects/che-operator.Role.yaml index 382caee63..43625be99 100644 --- a/deploy/deployment/openshift/objects/che-operator.Role.yaml +++ b/deploy/deployment/openshift/objects/che-operator.Role.yaml @@ -21,170 +21,34 @@ metadata: name: che-operator namespace: eclipse-che rules: -- apiGroups: - - extensions - resources: - - ingresses - verbs: - - '*' -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - '*' -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - update - - watch - - list -- apiGroups: - - route.openshift.io - resources: - - routes - - routes/custom-host - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings - verbs: - - list - - create - - watch - - update - - get - - delete - apiGroups: - "" resources: - - pods - - services - - serviceaccounts - - endpoints - - persistentvolumeclaims - - events - configmaps - - secrets - - pods/exec - - pods/log verbs: - - '*' -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - apps - - extensions - resources: - - deployments - - replicasets - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - create -- apiGroups: - - org.eclipse.che - resources: - - checlusters - - checlusters/status - - checlusters/finalizers - verbs: - - '*' -- apiGroups: - - metrics.k8s.io - resources: - - pods - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - operators.coreos.com - resources: - - subscriptions - - clusterserviceversions - - operatorgroups - verbs: - - '*' -- apiGroups: - - packages.operators.coreos.com - resources: - - packagemanifests - verbs: - - get - - list -- apiGroups: - - "" - resources: - - configmaps/status - verbs: + - delete - get - update - patch + - watch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - update + - patch + - watch + - list - apiGroups: - "" resources: - events verbs: - create -- apiGroups: - - apps - resourceNames: - - che-operator - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings - verbs: - - '*' -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings/finalizers - verbs: - - update -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings/status - verbs: - - get - patch - - update -- apiGroups: - - oauth.openshift.io - resources: - - oauthclients - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch diff --git a/helmcharts/next/templates/che-operator-leader-election.Role.yaml b/helmcharts/next/templates/che-operator-leader-election.Role.yaml deleted file mode 100644 index 60c047f84..000000000 --- a/helmcharts/next/templates/che-operator-leader-election.Role.yaml +++ /dev/null @@ -1,54 +0,0 @@ -# -# Copyright (c) 2019-2023 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: che-operator - app.kubernetes.io/instance: che - app.kubernetes.io/name: che - app.kubernetes.io/part-of: che.eclipse.org - name: che-operator-leader-election - namespace: eclipse-che -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch diff --git a/helmcharts/next/templates/che-operator-leader-election.RoleBinding.yaml b/helmcharts/next/templates/che-operator-leader-election.RoleBinding.yaml deleted file mode 100644 index b79874d66..000000000 --- a/helmcharts/next/templates/che-operator-leader-election.RoleBinding.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# -# Copyright (c) 2019-2023 Red Hat, Inc. -# This program and the accompanying materials are made -# available under the terms of the Eclipse Public License 2.0 -# which is available at https://www.eclipse.org/legal/epl-2.0/ -# -# SPDX-License-Identifier: EPL-2.0 -# -# Contributors: -# Red Hat, Inc. - initial API and implementation -# - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: che-operator - app.kubernetes.io/instance: che - app.kubernetes.io/name: che - app.kubernetes.io/part-of: che.eclipse.org - name: che-operator-leader-election - namespace: eclipse-che -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: che-operator-leader-election -subjects: -- kind: ServiceAccount - name: che-operator diff --git a/helmcharts/next/templates/che-operator.ClusterRole.yaml b/helmcharts/next/templates/che-operator.ClusterRole.yaml index a504afcd1..3b506c07d 100644 --- a/helmcharts/next/templates/che-operator.ClusterRole.yaml +++ b/helmcharts/next/templates/che-operator.ClusterRole.yaml @@ -21,11 +21,17 @@ metadata: name: che-operator rules: - apiGroups: - - "" + - batch resources: - - nodes + - jobs verbs: + - create + - delete - get + - update + - patch + - watch + - list - apiGroups: - oauth.openshift.io resources: @@ -33,93 +39,61 @@ rules: verbs: - create - delete - - deletecollection - get - - list - - patch - update - - watch -- apiGroups: - - config.openshift.io - resources: - - oauths - verbs: - - get - - list - - watch - patch -- apiGroups: - - config.openshift.io - resources: - - infrastructures - - proxies - verbs: - - get - - list - watch -- apiGroups: - - user.openshift.io - resources: - - users - verbs: - list - - delete - apiGroups: - user.openshift.io resources: - groups verbs: - get -- apiGroups: - - user.openshift.io - resources: - - identities - verbs: - - delete - apiGroups: - console.openshift.io resources: - consolelinks verbs: - - get - - list - create + - delete + - get - update - patch - - delete + - watch + - list - apiGroups: - rbac.authorization.k8s.io resources: - - clusterrolebindings - - clusterroles - roles - rolebindings + - clusterroles + - clusterrolebindings verbs: - - list - create - - watch - - update + - delete - get + - update + - patch + - watch + - list +- apiGroups: + - authorization.openshift.io + resources: + - rolebindings + verbs: + - get + - create + - update - delete - apiGroups: - authorization.openshift.io resources: - roles - - rolebindings verbs: - get - create - update - - delete -- apiGroups: - - org.eclipse.che - resources: - - checlusters - - checlusters/status - - checlusters/finalizers - - checlusters/status - verbs: - - '*' - apiGroups: - project.openshift.io resources: @@ -147,64 +121,39 @@ rules: - create - update - watch -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - - get - apiGroups: - apps resources: - - secrets + - replicasets verbs: - - list -- apiGroups: - - "" - resources: - - secrets - verbs: - - list - get - - create - - update + - list - patch - delete -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - get - - list - - watch - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - create - - watch - - delete - apiGroups: - apps - - extensions resources: - deployments - - replicasets verbs: - - '*' + - list + - create + - watch + - update + - get + - patch + - delete - apiGroups: - route.openshift.io resources: - routes verbs: - - '*' + - create + - delete + - get + - update + - patch + - watch + - list - apiGroups: - route.openshift.io resources: @@ -218,49 +167,18 @@ rules: verbs: - list - watch -- apiGroups: - - apps - resources: - - replicasets - verbs: - - list - - get - - patch - - delete -- apiGroups: - - extensions - resources: - - ingresses - verbs: - - '*' - apiGroups: - networking.k8s.io resources: - ingresses verbs: - - '*' -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - create + - delete + - get - update -- apiGroups: - - operators.coreos.com - resources: - - subscriptions - verbs: - - get -- apiGroups: - - operators.coreos.com - resources: - - clusterserviceversions - verbs: - - list - - get + - patch - watch + - list - apiGroups: - metrics.k8s.io resources: @@ -270,16 +188,6 @@ rules: - get - list - watch -- apiGroups: - - cert-manager.io - resources: - - issuers - - certificates - verbs: - - create - - get - - list - - update - apiGroups: - "" resources: @@ -290,33 +198,27 @@ rules: - serviceaccounts - services verbs: - - '*' -- apiGroups: - - apps - resourceNames: - - che-operator - resources: - - deployments/finalizers - verbs: + - create + - delete + - get - update + - patch + - watch + - list - apiGroups: - - batch + - org.eclipse.che resources: - - jobs + - checlusters + - checlusters/status + - checlusters/finalizers verbs: - create - delete - get - update + - patch - watch - list -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - create - - get - nonResourceURLs: - /metrics verbs: @@ -326,7 +228,11 @@ rules: resources: - kubernetesimagepullers verbs: - - '*' + - create + - delete + - get + - update + - list - apiGroups: - config.openshift.io resourceNames: @@ -335,6 +241,14 @@ rules: - consoles verbs: - get +- apiGroups: + - config.openshift.io + resourceNames: + - cluster + resources: + - proxies + verbs: + - get - apiGroups: - "" resources: @@ -351,32 +265,39 @@ rules: - get - list - create +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get - apiGroups: - workspace.devfile.io resources: - devworkspaces - devworkspacetemplates verbs: - - get - - list - - watch - create - delete - - patch + - get - update + - patch + - watch + - list - apiGroups: - controller.devfile.io resources: - devworkspaceroutings - devworkspaceoperatorconfigs verbs: - - get - - list - - watch - create - delete - - patch + - get - update + - patch + - watch + - list - apiGroups: - controller.devfile.io resources: @@ -419,3 +340,10 @@ rules: - limitranges verbs: - list +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create diff --git a/helmcharts/next/templates/che-operator.Role.yaml b/helmcharts/next/templates/che-operator.Role.yaml index 382caee63..43625be99 100644 --- a/helmcharts/next/templates/che-operator.Role.yaml +++ b/helmcharts/next/templates/che-operator.Role.yaml @@ -21,170 +21,34 @@ metadata: name: che-operator namespace: eclipse-che rules: -- apiGroups: - - extensions - resources: - - ingresses - verbs: - - '*' -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - '*' -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - update - - watch - - list -- apiGroups: - - route.openshift.io - resources: - - routes - - routes/custom-host - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - - clusterroles - - clusterrolebindings - verbs: - - list - - create - - watch - - update - - get - - delete - apiGroups: - "" resources: - - pods - - services - - serviceaccounts - - endpoints - - persistentvolumeclaims - - events - configmaps - - secrets - - pods/exec - - pods/log verbs: - - '*' -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - apps - - extensions - resources: - - deployments - - replicasets - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - create -- apiGroups: - - org.eclipse.che - resources: - - checlusters - - checlusters/status - - checlusters/finalizers - verbs: - - '*' -- apiGroups: - - metrics.k8s.io - resources: - - pods - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - operators.coreos.com - resources: - - subscriptions - - clusterserviceversions - - operatorgroups - verbs: - - '*' -- apiGroups: - - packages.operators.coreos.com - resources: - - packagemanifests - verbs: - - get - - list -- apiGroups: - - "" - resources: - - configmaps/status - verbs: + - delete - get - update - patch + - watch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - update + - patch + - watch + - list - apiGroups: - "" resources: - events verbs: - create -- apiGroups: - - apps - resourceNames: - - che-operator - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings - verbs: - - '*' -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings/finalizers - verbs: - - update -- apiGroups: - - controller.devfile.io - resources: - - devworkspaceroutings/status - verbs: - - get - patch - - update -- apiGroups: - - oauth.openshift.io - resources: - - oauthclients - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch diff --git a/main.go b/main.go index 55b180b8a..3c8d03afd 100644 --- a/main.go +++ b/main.go @@ -68,7 +68,6 @@ import ( operatorsv1 "github.com/operator-framework/api/pkg/operators/v1" operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1" packagesv1 "github.com/operator-framework/operator-lifecycle-manager/pkg/package-server/apis/operators/v1" - apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" image_puller_api "github.com/che-incubator/kubernetes-image-puller-operator/api/v1alpha1" projectv1 "github.com/openshift/api/project/v1" @@ -131,7 +130,6 @@ func init() { //+kubebuilder:scaffold:scheme utilruntime.Must(clientgoscheme.AddToScheme(scheme)) utilruntime.Must(admissionregistrationv1.AddToScheme(scheme)) - utilruntime.Must(apiextensionsv1.AddToScheme(scheme)) utilruntime.Must(rbacv1.AddToScheme(scheme)) // Setup Scheme for all resources diff --git a/pkg/common/test/utils.go b/pkg/common/test/utils.go index f925162ed..ef593bef1 100644 --- a/pkg/common/test/utils.go +++ b/pkg/common/test/utils.go @@ -31,11 +31,8 @@ import ( "github.com/eclipse-che/che-operator/pkg/common/chetypes" console "github.com/openshift/api/console/v1" oauthv1 "github.com/openshift/api/oauth/v1" - userv1 "github.com/openshift/api/user/v1" - operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - crdv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -191,17 +188,12 @@ func GetDeployContext(cheCluster *chev2.CheCluster, initObjs []runtime.Object) * scheme := scheme.Scheme chev2.SchemeBuilder.AddToScheme(scheme) - scheme.AddKnownTypes(operatorsv1alpha1.SchemeGroupVersion, &operatorsv1alpha1.Subscription{}) scheme.AddKnownTypes(controllerv1alpha1.SchemeBuilder.GroupVersion, &controllerv1alpha1.DevWorkspaceOperatorConfig{}) - scheme.AddKnownTypes(crdv1.SchemeGroupVersion, &crdv1.CustomResourceDefinition{}) - scheme.AddKnownTypes(operatorsv1alpha1.SchemeGroupVersion, &operatorsv1alpha1.Subscription{}) scheme.AddKnownTypes(oauthv1.GroupVersion, &oauthv1.OAuthClient{}) scheme.AddKnownTypes(oauthv1.GroupVersion, &oauthv1.OAuthClientList{}) - scheme.AddKnownTypes(userv1.GroupVersion, &userv1.UserList{}, &userv1.User{}, &userv1.Identity{}) - scheme.AddKnownTypes(configv1.GroupVersion, &configv1.OAuth{}, &configv1.Proxy{}, &configv1.Console{}) + scheme.AddKnownTypes(configv1.GroupVersion, &configv1.Proxy{}, &configv1.Console{}) scheme.AddKnownTypes(routev1.GroupVersion, &routev1.Route{}) scheme.AddKnownTypes(corev1.SchemeGroupVersion, &corev1.Secret{}) - scheme.AddKnownTypes(corev1.SchemeGroupVersion, &corev1.Secret{}) scheme.AddKnownTypes(console.GroupVersion, &console.ConsoleLink{}) scheme.AddKnownTypes(chev1alpha1.GroupVersion, &chev1alpha1.KubernetesImagePuller{}) securityv1.Install(scheme) diff --git a/pkg/deploy/server/rbac.go b/pkg/deploy/server/rbac.go index 80cafa7a8..e621014f9 100644 --- a/pkg/deploy/server/rbac.go +++ b/pkg/deploy/server/rbac.go @@ -238,16 +238,6 @@ func (s *CheServerReconciler) getUserCommonPolicies() []rbacv1.PolicyRule { Resources: []string{"configmaps"}, Verbs: []string{"get", "list", "create", "update", "patch", "delete"}, }, - { - APIGroups: []string{""}, - Resources: []string{"events"}, - Verbs: []string{"watch"}, - }, - { - APIGroups: []string{"apps"}, - Resources: []string{"secrets"}, - Verbs: []string{"list"}, - }, { APIGroups: []string{"apps"}, Resources: []string{"deployments"}, @@ -258,11 +248,6 @@ func (s *CheServerReconciler) getUserCommonPolicies() []rbacv1.PolicyRule { Resources: []string{"replicasets"}, Verbs: []string{"get", "list", "patch", "delete"}, }, - { - APIGroups: []string{"extensions"}, - Resources: []string{"ingresses"}, - Verbs: []string{"get", "list", "watch", "create", "delete"}, - }, { APIGroups: []string{"networking.k8s.io"}, Resources: []string{"ingresses"},