Add RBAC for cluster resource

Update Makefile
thom311 · May 28, 2019 · 8844150 · 8844150
1 parent 8b55ab8
commit 8844150
Show file tree

Hide file tree

Showing 9 changed files with 53 additions and 15 deletions.
diff --git a/Makefile b/Makefile
@@ -61,13 +61,13 @@ gencode: operator-sdk
 	@operator-sdk generate k8s
 	@operator-sdk generate openapi
 
-# deploy-setup:
-# 	hack/deploy-setup.sh
+deploy-setup:
+	@EXCLUSIONS=() hack/deploy-setup.sh sriov-network-operator
 
 # test-unit:
 # 	@go test -v $(PKGS)
 test-e2e: operator-sdk
-	@operator-sdk test local ./test/e2e --go-test-flags "-v -parallel=2"
-
-# undeploy:
-# 	hack/undeploy.sh
+	@EXCLUSIONS=() hack/deploy-setup.sh sriov-network-operator && operator-sdk test local ./test/e2e --go-test-flags "-v" --namespace sriov-network-operator --no-setup
+	@hack/undeploy.sh sriov-network-operator
+undeploy:
+	@hack/undeploy.sh sriov-network-operator
diff --git a/deploy/clusterrole.yaml b/deploy/clusterrole.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: sriov-network-operator
+rules:
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: [namespaces, serviceaccounts, ]
+  verbs: ["*"]
+- apiGroups: [rbac.authorization.k8s.io]
+  resources: [rolebindings, roles]
+  verbs: ["*"]
diff --git a/deploy/clusterrolebinding.yaml b/deploy/clusterrolebinding.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: sriov-network-operator
+roleRef:
+  kind: ClusterRole
+  name: sriov-network-operator
+subjects:
+- kind: ServiceAccount
+  namespace: sriov-network-operator
+  name: sriov-network-operator
diff --git a/deploy/role.yaml b/deploy/role.yaml
@@ -3,7 +3,6 @@ kind: Role
 metadata:
   creationTimestamp: null
   name: sriov-network-operator
-  namespace: sriov-network-operator
 rules:
 - apiGroups:
   - ""

diff --git a/deploy/role_binding.yaml b/deploy/role_binding.yaml
@@ -2,7 +2,6 @@ kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: sriov-network-operator
-  namespace: sriov-network-operator
 subjects:
 - kind: ServiceAccount
   name: sriov-network-operator

diff --git a/deploy/service_account.yaml b/deploy/service_account.yaml
@@ -2,4 +2,3 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: sriov-network-operator
-  namespace: sriov-network-operator
diff --git a/hack/deploy-setup.sh b/hack/deploy-setup.sh
@@ -1,9 +1,9 @@
 #!/bin/bash
-# This script inits a cluster to allow node-network-operator
+# This script inits a cluster to allow sriov-network-operator
 # to deploy.  It assumes it is capable of login as a
 # user who has the cluster-admin role
 
-set -euxo pipefail
+# set -euxo pipefail
 
 source "$(dirname $0)/common"
 
@@ -15,12 +15,12 @@ load_manifest() {
   fi
 
   pushd ${repo}/deploy
-    if ! oc get project node-network-operator > /dev/null 2>&1 && test -f namespace.yaml ; then
+    if ! oc get ns sriov-network-operator > /dev/null 2>&1 && test -f namespace.yaml ; then
       oc apply -f namespace.yaml
     fi
-    files="service_account.yaml role.yaml role_binding.yaml operator.yaml crds/sriovnetwork_v1_sriovnetwork_crd.yaml crds/k8s_v1_networkattachmentdefinition_crd.yaml crds/sriovnetwork_v1_sriovnetworknodepolicy_crd.yaml crds/sriovnetwork_v1_sriovnetworknodestate_crd.yaml"
+    files="service_account.yaml role.yaml role_binding.yaml clusterrole.yaml clusterrolebinding.yaml crds/sriovnetwork_v1_sriovnetwork_crd.yaml crds/k8s_v1_networkattachmentdefinition_crd.yaml crds/sriovnetwork_v1_sriovnetworknodepolicy_crd.yaml crds/sriovnetwork_v1_sriovnetworknodestate_crd.yaml operator.yaml"
     for m in ${files}; do
-      if [ "$(echo ${EXCLUSIONS[@]} | grep -o ${m} | wc -w)" == "0" ] ; then
+      if [ "$(echo ${EXCLUSIONS[@]} | grep -o ${m} | wc -w | xargs)" == "0" ] ; then
         oc apply -f ${m} ${namespace:-}
       fi
     done
@@ -31,4 +31,4 @@ load_manifest() {
 rm -rf /tmp/_working_dir
 mkdir /tmp/_working_dir
 
-load_manifest ${repo_dir}
+load_manifest ${repo_dir} $1
diff --git a/hack/run-locally.sh b/hack/run-locally.sh
@@ -1,2 +1,3 @@
 #!/bin/bash
+EXCLUSIONS=(operator.yaml) hack/deploy-setup.sh sriov-network-operator
 env $(cat hack/env.sh) operator-sdk up local --namespace sriov-network-operator
diff --git a/hack/undeploy.sh b/hack/undeploy.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+#set -euxo pipefail
+
+repo_dir="$(dirname $0)/.."
+namespace=${1:-}
+if [ -n "${namespace}" ] ; then
+  namespace="-n ${namespace}"
+fi
+
+pushd ${repo_dir}/deploy
+files="operator.yaml service_account.yaml role.yaml role_binding.yaml clusterrole.yaml clusterrolebinding.yaml crds/sriovnetwork_v1_sriovnetwork_crd.yaml crds/k8s_v1_networkattachmentdefinition_crd.yaml crds/sriovnetwork_v1_sriovnetworknodepolicy_crd.yaml crds/sriovnetwork_v1_sriovnetworknodestate_crd.yaml"
+for file in ${files}; do
+  oc delete -f $file --ignore-not-found ${namespace}
+done
+popd