forklift: add missing rbac

Signed-off-by: Benny Zlotnik <[email protected]>
kubevirt · Jun 25, 2024 · 05c53a2 · 05c53a2
1 parent b887d87
commit 05c53a2
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 3 deletions.
diff --git a/pkg/operator/resources/cluster/controller.go b/pkg/operator/resources/cluster/controller.go
@@ -275,9 +275,7 @@ func getControllerClusterPolicyRules() []rbacv1.PolicyRule {
 				"openstackvolumepopulators",
 			},
 			Verbs: []string{
-				"get",
-				"list",
-				"watch",
+				"*",
 			},
 		},
 	}

diff --git a/pkg/operator/resources/cluster/rbac.go b/pkg/operator/resources/cluster/rbac.go
@@ -30,8 +30,13 @@ func createAggregateClusterRoles(_ *FactoryArgs) []client.Object {
 		utils.ResourceBuilder.CreateAggregateClusterRole("cdi.kubevirt.io:admin", "admin", getAdminPolicyRules()),
 		utils.ResourceBuilder.CreateAggregateClusterRole("cdi.kubevirt.io:edit", "edit", getEditPolicyRules()),
 		utils.ResourceBuilder.CreateAggregateClusterRole("cdi.kubevirt.io:view", "view", getViewPolicyRules()),
+		utils.ResourceBuilder.CreateAggregateClusterRole("forklift.cdi.kubevirt.io:admin", "admin", getAdminPolicyRules()),
+		utils.ResourceBuilder.CreateAggregateClusterRole("forklift.cdi.kubevirt.io:edit", "edit", getEditPolicyRules()),
+		utils.ResourceBuilder.CreateAggregateClusterRole("forklift.cdi.kubevirt.io:view", "view", getViewPolicyRules()),
 		createConfigReaderClusterRole("cdi.kubevirt.io:config-reader"),
+		createConfigReaderClusterRole("forklift.cdi.kubevirt.io:config-reader"),
 		createConfigReaderClusterRoleBinding("cdi.kubevirt.io:config-reader"),
+		createConfigReaderClusterRoleBinding("forklift.cdi.kubevirt.io:config-reader"),
 	}
 }
 
@@ -75,6 +80,18 @@ func getAdminPolicyRules() []rbacv1.PolicyRule {
 				"*",
 			},
 		},
+		{
+			APIGroups: []string{
+				"forklift.cdi.kubevirt.io",
+			},
+			Resources: []string{
+				"ovirtvolumepopulators",
+				"openstackvolumepopulators",
+			},
+			Verbs: []string{
+				"*",
+			},
+		},
 	}
 }
 
@@ -107,6 +124,20 @@ func getViewPolicyRules() []rbacv1.PolicyRule {
 				"watch",
 			},
 		},
+		{
+			APIGroups: []string{
+				"forklift.cdi.kubevirt.io",
+			},
+			Resources: []string{
+				"ovirtvolumepopulators",
+				"openstackvolumepopulators",
+			},
+			Verbs: []string{
+				"get",
+				"list",
+				"watch",
+			},
+		},
 		{
 			APIGroups: []string{
 				"cdi.kubevirt.io",
@@ -137,6 +168,20 @@ func createConfigReaderClusterRole(name string) *rbacv1.ClusterRole {
 				"watch",
 			},
 		},
+		{
+			APIGroups: []string{
+				"forklift.cdi.kubevirt.io",
+			},
+			Resources: []string{
+				"ovirtvolumepopulators",
+				"openstackvolumepopulators",
+			},
+			Verbs: []string{
+				"get",
+				"list",
+				"watch",
+			},
+		},
 	}
 
 	return utils.ResourceBuilder.CreateClusterRole(name, rules)
-Original file line number
+Diff line change
@@ Expand Up @@
     				"openstackvolumepopulators",
     			},
     			Verbs: []string{
-    				"get",
-    				"list",
-    				"watch",
+    				"*",
     			},
     		},
     	}
@@ Expand Down @@