diff --git a/internal/cmd/controller/agentmanagement/controllers/clusterregistrationtoken/handler.go b/internal/cmd/controller/agentmanagement/controllers/clusterregistrationtoken/handler.go index 2108a0d01d..107cdb2916 100644 --- a/internal/cmd/controller/agentmanagement/controllers/clusterregistrationtoken/handler.go +++ b/internal/cmd/controller/agentmanagement/controllers/clusterregistrationtoken/handler.go @@ -9,6 +9,7 @@ import ( "github.com/sirupsen/logrus" + "github.com/rancher/fleet/internal/cmd/controller/agentmanagement/controllers/resources" secretutil "github.com/rancher/fleet/internal/cmd/controller/agentmanagement/secret" "github.com/rancher/fleet/internal/config" fleet "github.com/rancher/fleet/pkg/apis/fleet.cattle.io/v1alpha1" @@ -142,22 +143,6 @@ func (h *handler) OnChange(token *fleet.ClusterRegistrationToken, status fleet.C }, }, }, - &rbacv1.Role{ - ObjectMeta: metav1.ObjectMeta{ - Name: name.SafeConcatName(saName, "role"), - Namespace: token.Namespace, - Labels: map[string]string{ - fleet.ManagedLabel: "true", - }, - }, - Rules: []rbacv1.PolicyRule{ - { - Verbs: []string{"create"}, - APIGroups: []string{fleet.SchemeGroupVersion.Group}, - Resources: []string{fleet.ClusterRegistrationResourceNamePlural}, - }, - }, - }, &rbacv1.RoleBinding{ ObjectMeta: metav1.ObjectMeta{ Name: name.SafeConcatName(saName, "to", "role"), @@ -175,21 +160,8 @@ func (h *handler) OnChange(token *fleet.ClusterRegistrationToken, status fleet.C }, RoleRef: rbacv1.RoleRef{ APIGroup: rbacv1.GroupName, - Kind: "Role", - Name: name.SafeConcatName(saName, "role"), - }, - }, - &rbacv1.Role{ - ObjectMeta: metav1.ObjectMeta{ - Name: name.SafeConcatName(saName, "creds"), - Namespace: h.systemRegistrationNamespace, - }, - Rules: []rbacv1.PolicyRule{ - { - Verbs: []string{"get"}, - APIGroups: []string{""}, - Resources: []string{"secrets"}, - }, + Kind: "ClusterRole", + Name: resources.ImportRegistration, }, }, &rbacv1.RoleBinding{ @@ -206,8 +178,8 @@ func (h *handler) OnChange(token *fleet.ClusterRegistrationToken, status fleet.C }, RoleRef: rbacv1.RoleRef{ APIGroup: rbacv1.GroupName, - Kind: "Role", - Name: name.SafeConcatName(saName, "creds"), + Kind: "ClusterRole", + Name: resources.ImportCredentials, }, }, }, secrets...), status, nil diff --git a/internal/cmd/controller/agentmanagement/controllers/resources/data.go b/internal/cmd/controller/agentmanagement/controllers/resources/data.go index e83479156f..9230cc6372 100644 --- a/internal/cmd/controller/agentmanagement/controllers/resources/data.go +++ b/internal/cmd/controller/agentmanagement/controllers/resources/data.go @@ -13,6 +13,8 @@ import ( const ( BundleDeploymentClusterRole = "fleet-bundle-deployment" ContentClusterRole = "fleet-content" + ImportRegistration = "fleet-import-registration" + ImportCredentials = "fleet-import-creds" // nolint:gosec // this is not a credential ) // ApplyBootstrapResources creates the cluster roles, system namespace and system registration namespace @@ -54,11 +56,39 @@ func ApplyBootstrapResources(systemNamespace, systemRegistrationNamespace string }, }, }, + // used by import- service accounts + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: ImportCredentials, + }, + Rules: []rbacv1.PolicyRule{ + { + Verbs: []string{"get"}, + APIGroups: []string{""}, + Resources: []string{"secrets"}, + }, + }, + }, + // used by import- service accounts + &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: ImportRegistration, + }, + Rules: []rbacv1.PolicyRule{ + { + Verbs: []string{"create"}, + APIGroups: []string{fleet.SchemeGroupVersion.Group}, + Resources: []string{fleet.ClusterRegistrationResourceNamePlural}, + }, + }, + }, + // namespace for the controllers (e.g. cattle-fleet-system) &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ Name: systemNamespace, }, }, + // namespace for secrets used in the cluster registration process (e.g. cattle-fleet-clusters-system) &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ Name: systemRegistrationNamespace,