Handling Identical Kubebuilder Annotations in Different CRs with * Verbs
Closed this issue · 2 comments
What broke? What's expected?
When there are two identical Kubebuilder annotations (same API groups) in different Custom Resource (CR) files, and one of them uses the verb *, we need to account for a condition where the verb is *, but not * combined with specific verbs like list, update, etc.
For example:
// controllers/storagecluster/reconcile.go
// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=*
func (r *StorageClusterReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {}
// controllers/storagerequest/storagerequest_controller.go
// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=get;list;watch;create;update;patch;delete
func (r *StorageRequestReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {}
In the RBAC role configuration:
# config/rbac/role.yaml
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- '*'
- create
- delete
- get
- list
- patch
- update
- watch
The role definition currently allows both * and specific verbs such as create, delete, and list. The issue arises from the fact that * includes all verbs, making the additional specific verbs redundant. We should add a condition to avoid this overlap.
Reference: ocs-operator role.yaml
Reproducing this issue
No response
KubeBuilder (CLI) Version
v4.2.0
PROJECT version
No response
Plugin versions
No response
Other versions
No response
Extra Labels
No response
Hi @OdedViner ,
When we use the rbac markers the RBAC rules are generated by the controller-gen, the implementation is in the https://github.com/kubernetes-sigs/controller-tools. Could you please raise this RFE via in issue in the project https://github.com/kubernetes-sigs/controller-tools?
I hope that you do not mind but we are closing this issue since we cannot address your request in this project.