You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by pc...@apache.org on 2023/12/13 08:29:17 UTC
(camel-k) 01/04: feat(install): Separate namespaced and descoped rbacs
This is an automated email from the ASF dual-hosted git repository.
pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit fdfbb8acf2ba6b0370e9133157e9136de7abbf2b
Author: Gaelle Fournier <ga...@gmail.com>
AuthorDate: Fri Nov 10 14:35:32 2023 +0100
feat(install): Separate namespaced and descoped rbacs
Ref #3165
---
config/manifests/kustomization.yaml | 1 +
.../descoped}/kustomization.yaml | 36 +++---
.../operator-cluster-role-binding-events.yaml} | 5 +-
.../operator-cluster-role-binding-keda.yaml} | 5 +-
.../operator-cluster-role-binding-knative.yaml} | 5 +-
.../operator-cluster-role-binding-leases.yaml} | 5 +-
...operator-cluster-role-binding-podmonitors.yaml} | 5 +-
.../operator-cluster-role-binding-strimzi.yaml} | 5 +-
.../operator-cluster-role-binding.yaml} | 5 +-
.../operator-cluster-role-events.yaml} | 2 +-
.../operator-cluster-role-keda.yaml} | 2 +-
.../operator-cluster-role-knative.yaml} | 2 +-
.../operator-cluster-role-leases.yaml} | 2 +-
.../operator-cluster-role-podmonitors.yaml} | 2 +-
.../operator-cluster-role-strimzi.yaml} | 2 +-
.../operator-cluster-role.yaml} | 2 +-
config/rbac/kustomization.yaml | 29 +++--
config/rbac/{ => namespaced}/kustomization.yaml | 9 +-
.../operator-role-binding-events.yaml | 0
.../operator-role-binding-keda.yaml | 0
.../operator-role-binding-knative.yaml | 0
.../operator-role-binding-leases.yaml | 0
.../operator-role-binding-podmonitors.yaml | 0
.../operator-role-binding-strimzi.yaml | 0
.../{ => namespaced}/operator-role-binding.yaml | 0
.../{ => namespaced}/operator-role-events.yaml | 0
.../rbac/{ => namespaced}/operator-role-keda.yaml | 0
.../{ => namespaced}/operator-role-knative.yaml | 0
.../{ => namespaced}/operator-role-leases.yaml | 0
.../operator-role-podmonitors.yaml | 0
.../{ => namespaced}/operator-role-strimzi.yaml | 0
config/rbac/{ => namespaced}/operator-role.yaml | 0
install/Makefile | 10 +-
install/setup/kustomization.yaml | 12 --
pkg/install/operator.go | 136 ++++++++++++++-------
35 files changed, 159 insertions(+), 123 deletions(-)
diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml
index 94f8a27f8..9a926be1b 100644
--- a/config/manifests/kustomization.yaml
+++ b/config/manifests/kustomization.yaml
@@ -27,6 +27,7 @@ resources:
- ../samples
- ../scorecard
- ../rbac
+- ../rbac/namespaced
- ../rbac/openshift
patchesStrategicMerge:
diff --git a/config/manifests/kustomization.yaml b/config/rbac/descoped/kustomization.yaml
similarity index 61%
copy from config/manifests/kustomization.yaml
copy to config/rbac/descoped/kustomization.yaml
index 94f8a27f8..ade2d46ba 100644
--- a/config/manifests/kustomization.yaml
+++ b/config/rbac/descoped/kustomization.yaml
@@ -14,25 +14,25 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# ---------------------------------------------------------------------------
+
+#
+# rbac resources applicable for all kubernetes platforms - global operator
+#
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-# Labels to add to all resources and selectors.
-commonLabels:
- app: camel-k
-
resources:
-- ../manager
-- ../crd
-- ../samples
-- ../scorecard
-- ../rbac
-- ../rbac/openshift
-
-patchesStrategicMerge:
-- patch-delete-user-cluster-role.yaml
-- patch-delete-pvc.yaml
-images:
-- name: docker.io/apache/camel-k
- newName: docker.io/apache/camel-k
- newTag: 2.2.0-SNAPSHOT
+- operator-cluster-role-events.yaml
+- operator-cluster-role-knative.yaml
+- operator-cluster-role.yaml
+- operator-cluster-role-keda.yaml
+- operator-cluster-role-leases.yaml
+- operator-cluster-role-podmonitors.yaml
+- operator-cluster-role-strimzi.yaml
+- operator-cluster-role-binding-events.yaml
+- operator-cluster-role-binding-keda.yaml
+- operator-cluster-role-binding-knative.yaml
+- operator-cluster-role-binding-leases.yaml
+- operator-cluster-role-binding-podmonitors.yaml
+- operator-cluster-role-binding-strimzi.yaml
+- operator-cluster-role-binding.yaml
diff --git a/config/rbac/operator-role-binding-events.yaml b/config/rbac/descoped/operator-cluster-role-binding-events.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-events.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-events.yaml
index 7b1d41dd5..9dd5228d2 100644
--- a/config/rbac/operator-role-binding-events.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-events.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-events
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator-events
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-keda.yaml b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-keda.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-keda.yaml
index fd8c60256..92e154e87 100644
--- a/config/rbac/operator-role-binding-keda.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-keda
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator-keda
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-knative.yaml b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-knative.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-knative.yaml
index 034baef7b..739b0dd06 100644
--- a/config/rbac/operator-role-binding-knative.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-knative
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator-knative
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-leases.yaml b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-leases.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-leases.yaml
index 5bbc4efc1..35d667fd1 100644
--- a/config/rbac/operator-role-binding-leases.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-leases
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator-leases
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-podmonitors.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml
index 26b6d9c85..bef231b07 100644
--- a/config/rbac/operator-role-binding-podmonitors.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-podmonitors
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator-podmonitors
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-strimzi.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml
index 9a860c02c..fefd14352 100644
--- a/config/rbac/operator-role-binding-strimzi.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-strimzi
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator-strimzi
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding.yaml b/config/rbac/descoped/operator-cluster-role-binding.yaml
similarity index 94%
copy from config/rbac/operator-role-binding.yaml
copy to config/rbac/descoped/operator-cluster-role-binding.yaml
index afbdf270f..83f227d62 100644
--- a/config/rbac/operator-role-binding.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: RoleBinding
+kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator
@@ -24,7 +24,8 @@ metadata:
subjects:
- kind: ServiceAccount
name: camel-k-operator
+ namespace: placeholder
roleRef:
- kind: Role
+ kind: ClusterRole
name: camel-k-operator
apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-events.yaml b/config/rbac/descoped/operator-cluster-role-events.yaml
similarity index 98%
copy from config/rbac/operator-role-events.yaml
copy to config/rbac/descoped/operator-cluster-role-events.yaml
index d109b734d..1dfd24b01 100644
--- a/config/rbac/operator-role-events.yaml
+++ b/config/rbac/descoped/operator-cluster-role-events.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-events
diff --git a/config/rbac/operator-role-keda.yaml b/config/rbac/descoped/operator-cluster-role-keda.yaml
similarity index 98%
copy from config/rbac/operator-role-keda.yaml
copy to config/rbac/descoped/operator-cluster-role-keda.yaml
index 22c026c15..3b3f432eb 100644
--- a/config/rbac/operator-role-keda.yaml
+++ b/config/rbac/descoped/operator-cluster-role-keda.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-keda
diff --git a/config/rbac/operator-role-knative.yaml b/config/rbac/descoped/operator-cluster-role-knative.yaml
similarity index 98%
copy from config/rbac/operator-role-knative.yaml
copy to config/rbac/descoped/operator-cluster-role-knative.yaml
index 3cba80931..305d26b62 100644
--- a/config/rbac/operator-role-knative.yaml
+++ b/config/rbac/descoped/operator-cluster-role-knative.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-knative
diff --git a/config/rbac/operator-role-leases.yaml b/config/rbac/descoped/operator-cluster-role-leases.yaml
similarity index 98%
copy from config/rbac/operator-role-leases.yaml
copy to config/rbac/descoped/operator-cluster-role-leases.yaml
index 4223e8e2e..6ea671bd2 100644
--- a/config/rbac/operator-role-leases.yaml
+++ b/config/rbac/descoped/operator-cluster-role-leases.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-leases
diff --git a/config/rbac/operator-role-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml
similarity index 98%
copy from config/rbac/operator-role-podmonitors.yaml
copy to config/rbac/descoped/operator-cluster-role-podmonitors.yaml
index 7a3fe05c4..2578103c3 100644
--- a/config/rbac/operator-role-podmonitors.yaml
+++ b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-podmonitors
diff --git a/config/rbac/operator-role-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-strimzi.yaml
similarity index 98%
copy from config/rbac/operator-role-strimzi.yaml
copy to config/rbac/descoped/operator-cluster-role-strimzi.yaml
index ab0a91d70..9ccea139f 100644
--- a/config/rbac/operator-role-strimzi.yaml
+++ b/config/rbac/descoped/operator-cluster-role-strimzi.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator-strimzi
diff --git a/config/rbac/operator-role.yaml b/config/rbac/descoped/operator-cluster-role.yaml
similarity index 99%
copy from config/rbac/operator-role.yaml
copy to config/rbac/descoped/operator-cluster-role.yaml
index 4ddc2d4c1..d7ee2fa39 100644
--- a/config/rbac/operator-role.yaml
+++ b/config/rbac/descoped/operator-cluster-role.yaml
@@ -15,7 +15,7 @@
# limitations under the License.
# ---------------------------------------------------------------------------
-kind: Role
+kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: camel-k-operator
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index f2600f162..5b3e03f55 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -23,23 +23,22 @@ kind: Kustomization
resources:
- user-cluster-role.yaml
-- operator-role-events.yaml
-- operator-role-knative.yaml
-- operator-role.yaml
-- operator-role-keda.yaml
-- operator-role-leases.yaml
-- operator-role-podmonitors.yaml
-- operator-role-strimzi.yaml
-- operator-role-binding-events.yaml
-- operator-role-binding-keda.yaml
-- operator-role-binding-knative.yaml
-- operator-role-binding-leases.yaml
-- operator-role-binding-local-registry.yaml
-- operator-role-binding-podmonitors.yaml
-- operator-role-binding-strimzi.yaml
-- operator-role-binding.yaml
- operator-cluster-role-custom-resource-definitions.yaml
- operator-cluster-role-binding-custom-resource-definitions.yaml
- operator-cluster-role-addressable-resolver.yaml
- operator-cluster-role-binding-addressable-resolver.yaml
- operator-cluster-role-local-registry.yaml
+- operator-role-binding-local-registry.yaml
+
+
+transformers:
+- |-
+ apiVersion: builtin
+ kind: PatchTransformer
+ metadata:
+ name: fix-local-registry-rbac-namespace
+ patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]'
+ target:
+ group: rbac.authorization.k8s.io
+ kind: RoleBinding
+ name: camel-k-operator-local-registry
\ No newline at end of file
diff --git a/config/rbac/kustomization.yaml b/config/rbac/namespaced/kustomization.yaml
similarity index 78%
copy from config/rbac/kustomization.yaml
copy to config/rbac/namespaced/kustomization.yaml
index f2600f162..510beb4d5 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/namespaced/kustomization.yaml
@@ -16,13 +16,12 @@
# ---------------------------------------------------------------------------
#
-# rbac resources applicable for all kubernetes platforms
+# rbac resources applicable for all kubernetes platforms - namespaced operator
#
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- user-cluster-role.yaml
- operator-role-events.yaml
- operator-role-knative.yaml
- operator-role.yaml
@@ -34,12 +33,6 @@ resources:
- operator-role-binding-keda.yaml
- operator-role-binding-knative.yaml
- operator-role-binding-leases.yaml
-- operator-role-binding-local-registry.yaml
- operator-role-binding-podmonitors.yaml
- operator-role-binding-strimzi.yaml
- operator-role-binding.yaml
-- operator-cluster-role-custom-resource-definitions.yaml
-- operator-cluster-role-binding-custom-resource-definitions.yaml
-- operator-cluster-role-addressable-resolver.yaml
-- operator-cluster-role-binding-addressable-resolver.yaml
-- operator-cluster-role-local-registry.yaml
diff --git a/config/rbac/operator-role-binding-events.yaml b/config/rbac/namespaced/operator-role-binding-events.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-events.yaml
rename to config/rbac/namespaced/operator-role-binding-events.yaml
diff --git a/config/rbac/operator-role-binding-keda.yaml b/config/rbac/namespaced/operator-role-binding-keda.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-keda.yaml
rename to config/rbac/namespaced/operator-role-binding-keda.yaml
diff --git a/config/rbac/operator-role-binding-knative.yaml b/config/rbac/namespaced/operator-role-binding-knative.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-knative.yaml
rename to config/rbac/namespaced/operator-role-binding-knative.yaml
diff --git a/config/rbac/operator-role-binding-leases.yaml b/config/rbac/namespaced/operator-role-binding-leases.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-leases.yaml
rename to config/rbac/namespaced/operator-role-binding-leases.yaml
diff --git a/config/rbac/operator-role-binding-podmonitors.yaml b/config/rbac/namespaced/operator-role-binding-podmonitors.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-podmonitors.yaml
rename to config/rbac/namespaced/operator-role-binding-podmonitors.yaml
diff --git a/config/rbac/operator-role-binding-strimzi.yaml b/config/rbac/namespaced/operator-role-binding-strimzi.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-strimzi.yaml
rename to config/rbac/namespaced/operator-role-binding-strimzi.yaml
diff --git a/config/rbac/operator-role-binding.yaml b/config/rbac/namespaced/operator-role-binding.yaml
similarity index 100%
rename from config/rbac/operator-role-binding.yaml
rename to config/rbac/namespaced/operator-role-binding.yaml
diff --git a/config/rbac/operator-role-events.yaml b/config/rbac/namespaced/operator-role-events.yaml
similarity index 100%
rename from config/rbac/operator-role-events.yaml
rename to config/rbac/namespaced/operator-role-events.yaml
diff --git a/config/rbac/operator-role-keda.yaml b/config/rbac/namespaced/operator-role-keda.yaml
similarity index 100%
rename from config/rbac/operator-role-keda.yaml
rename to config/rbac/namespaced/operator-role-keda.yaml
diff --git a/config/rbac/operator-role-knative.yaml b/config/rbac/namespaced/operator-role-knative.yaml
similarity index 100%
rename from config/rbac/operator-role-knative.yaml
rename to config/rbac/namespaced/operator-role-knative.yaml
diff --git a/config/rbac/operator-role-leases.yaml b/config/rbac/namespaced/operator-role-leases.yaml
similarity index 100%
rename from config/rbac/operator-role-leases.yaml
rename to config/rbac/namespaced/operator-role-leases.yaml
diff --git a/config/rbac/operator-role-podmonitors.yaml b/config/rbac/namespaced/operator-role-podmonitors.yaml
similarity index 100%
rename from config/rbac/operator-role-podmonitors.yaml
rename to config/rbac/namespaced/operator-role-podmonitors.yaml
diff --git a/config/rbac/operator-role-strimzi.yaml b/config/rbac/namespaced/operator-role-strimzi.yaml
similarity index 100%
rename from config/rbac/operator-role-strimzi.yaml
rename to config/rbac/namespaced/operator-role-strimzi.yaml
diff --git a/config/rbac/operator-role.yaml b/config/rbac/namespaced/operator-role.yaml
similarity index 100%
rename from config/rbac/operator-role.yaml
rename to config/rbac/namespaced/operator-role.yaml
diff --git a/install/Makefile b/install/Makefile
index ce329c6d5..a80f5e3da 100644
--- a/install/Makefile
+++ b/install/Makefile
@@ -241,13 +241,11 @@ endif
setup: setup-cluster
# Set the namespace in the setup kustomization yaml
@$(call set-kustomize-namespace,$@)
-# If GLOBAL then add the conversion patches for all roles and rolebindings
-ifeq ($(GLOBAL),true)
- @$(call add-remove-kind-patch,setup,add,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role)
- @$(call add-remove-kind-patch,setup,add,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding)
+# If GLOBAL then add the versions with clusterroles and clusterrolebindings
+ifeq ($(GLOBAL), true)
+ @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/descoped && cd - &> /dev/null;
else
- @$(call add-remove-kind-patch,setup,remove,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role)
- @$(call add-remove-kind-patch,setup,remove,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding)
+ @cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/namespaced && cd - &> /dev/null;
endif
ifeq ($(PLATFORM), openshift)
@for res in $(RBAC_OS)/operator-role*; do \
diff --git a/install/setup/kustomization.yaml b/install/setup/kustomization.yaml
index 9598726ca..c10dfd653 100644
--- a/install/setup/kustomization.yaml
+++ b/install/setup/kustomization.yaml
@@ -19,15 +19,3 @@ kind: Kustomization
resources:
- ../config/rbac
-
-transformers:
-- |-
- apiVersion: builtin
- kind: PatchTransformer
- metadata:
- name: fix-local-registry-rbac-namespace
- patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]'
- target:
- group: rbac.authorization.k8s.io
- kind: RoleBinding
- name: camel-k-operator-local-registry
diff --git a/pkg/install/operator.go b/pkg/install/operator.go
index 9daf61ee0..2db3fde3d 100644
--- a/pkg/install/operator.go
+++ b/pkg/install/operator.go
@@ -260,7 +260,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
}
// Install Kubernetes RBAC resources (roles and bindings)
- if err := installKubernetesRoles(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err := installKubernetesRoles(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
return err
}
@@ -289,7 +289,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
return err
}
if isKnative {
- if err := installKnative(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err := installKnative(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
return err
}
if err := installClusterRoleBinding(ctx, c, collection, cfg.Namespace, "camel-k-operator-bind-addressable-resolver", "/rbac/operator-cluster-role-binding-addressable-resolver.yaml"); err != nil {
@@ -301,35 +301,35 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
}
}
- if err = installEvents(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err = installEvents(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
if k8serrors.IsAlreadyExists(err) {
return err
}
fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to publish Kubernetes events. Try installing as cluster-admin to allow it to generate events.")
}
- if err = installKedaBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err = installKedaBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
if k8serrors.IsAlreadyExists(err) {
return err
}
fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to create KEDA resources. Try installing as cluster-admin.")
}
- if err = installPodMonitors(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err = installPodMonitors(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
if k8serrors.IsAlreadyExists(err) {
return err
}
fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to create PodMonitor resources. Try installing as cluster-admin.")
}
- if err := installStrimziBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err := installStrimziBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
if k8serrors.IsAlreadyExists(err) {
return err
}
fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to lookup strimzi kafka resources. Try installing as cluster-admin to allow the lookup of strimzi kafka resources.")
}
- if err = installLeaseBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+ if err = installLeaseBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
if k8serrors.IsAlreadyExists(err) {
return err
}
@@ -491,12 +491,20 @@ func installOpenShiftRoles(ctx context.Context, c client.Client, namespace strin
)
}
-func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/manager/operator-service-account.yaml",
- "/rbac/operator-role.yaml",
- "/rbac/operator-role-binding.yaml",
- )
+func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/manager/operator-service-account.yaml",
+ "/rbac/descoped/operator-cluster-role.yaml",
+ "/rbac/descoped/operator-cluster-role-binding.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/manager/operator-service-account.yaml",
+ "/rbac/namespaced/operator-role.yaml",
+ "/rbac/namespaced/operator-role-binding.yaml",
+ )
+ }
}
func installOperator(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
@@ -505,39 +513,74 @@ func installOperator(ctx context.Context, c client.Client, namespace string, cus
)
}
-func installKedaBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/rbac/operator-role-keda.yaml",
- "/rbac/operator-role-binding-keda.yaml",
- )
+func installKedaBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/descoped/operator-cluster-role-keda.yaml",
+ "/rbac/descoped/operator-cluster-role-binding-keda.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/namespaced/operator-role-keda.yaml",
+ "/rbac/namespaced/operator-role-binding-keda.yaml",
+ )
+ }
}
-func installKnative(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/rbac/operator-role-knative.yaml",
- "/rbac/operator-role-binding-knative.yaml",
- )
+func installKnative(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/descoped/operator-cluster-role-knative.yaml",
+ "/rbac/descoped/operator-cluster-role-binding-knative.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/namespaced/operator-role-knative.yaml",
+ "/rbac/namespaced/operator-role-binding-knative.yaml",
+ )
+ }
}
-func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/rbac/operator-role-events.yaml",
- "/rbac/operator-role-binding-events.yaml",
- )
+func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/descoped/operator-cluster-role-events.yaml",
+ "/rbac/descoped/operator-cluster-role-binding-events.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/namespaced/operator-role-events.yaml",
+ "/rbac/namespaced/operator-role-binding-events.yaml",
+ )
+ }
}
-func installPodMonitors(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/rbac/operator-role-podmonitors.yaml",
- "/rbac/operator-role-binding-podmonitors.yaml",
- )
+func installPodMonitors(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/descoped/operator-cluster-role-podmonitors.yaml",
+ "/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/namespaced/operator-role-podmonitors.yaml",
+ "/rbac/namespaced/operator-role-binding-podmonitors.yaml",
+ )
+ }
}
-func installStrimziBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/rbac/operator-role-strimzi.yaml",
- "/rbac/operator-role-binding-strimzi.yaml",
- )
+func installStrimziBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/descoped/operator-cluster-role-strimzi.yaml",
+ "/rbac/descoped/operator-cluster-role-binding-strimzi.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/namespaced/operator-role-strimzi.yaml",
+ "/rbac/namespaced/operator-role-binding-strimzi.yaml",
+ )
+ }
}
func installMonitoringResources(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
@@ -547,11 +590,18 @@ func installMonitoringResources(ctx context.Context, c client.Client, namespace
)
}
-func installLeaseBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
- return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
- "/rbac/operator-role-leases.yaml",
- "/rbac/operator-role-binding-leases.yaml",
- )
+func installLeaseBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+ if global {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/descoped/operator-cluster-role-leases.yaml",
+ "/rbac/descoped/operator-cluster-role-binding-leases.yaml",
+ )
+ } else {
+ return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+ "/rbac/namespaced/operator-role-leases.yaml",
+ "/rbac/namespaced/operator-role-binding-leases.yaml",
+ )
+ }
}
// NewPlatform creates a new IntegrationPlatform instance.