mirror of
https://github.com/open-cluster-management-io/ocm.git
synced 2026-02-14 10:00:11 +00:00
c516beffa6
Some checks failed
Post / images (amd64, addon-manager) (push) Failing after 46s
Post / images (amd64, placement) (push) Failing after 41s
Post / images (amd64, registration-operator) (push) Failing after 39s
Post / images (amd64, work) (push) Failing after 42s
Post / images (arm64, addon-manager) (push) Failing after 39s
Post / images (arm64, placement) (push) Failing after 39s
Post / images (arm64, registration) (push) Failing after 40s
Post / images (arm64, registration-operator) (push) Failing after 42s
Post / images (arm64, work) (push) Failing after 39s
Post / images (amd64, registration) (push) Failing after 7m46s
Post / image manifest (addon-manager) (push) Has been skipped
Post / image manifest (placement) (push) Has been skipped
Post / image manifest (registration) (push) Has been skipped
Post / image manifest (registration-operator) (push) Has been skipped
Post / image manifest (work) (push) Has been skipped
Post / trigger clusteradm e2e (push) Has been skipped
Post / coverage (push) Failing after 14m33s
Scorecard supply-chain security / Scorecard analysis (push) Failing after 1m25s
Close stale issues and PRs / stale (push) Successful in 46s
* Add addon conversion webhook for v1alpha1/v1beta1 API migration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Qing Hao <qhao@redhat.com> * Fix GroupVersion compatibility issues after API dependency update This commit fixes compilation and test errors introduced by updating the API dependency to use native conversion functions from PR #411. Changes include: 1. Fix GroupVersion type mismatches across the codebase: - Updated OwnerReference creation to use schema.GroupVersion - Fixed webhook scheme registration to use proper GroupVersion type - Applied fixes to addon, placement, migration, work, and registration controllers 2. Enhance addon conversion webhook: - Use native API conversion functions from addon/v1beta1/conversion.go - Fix InstallNamespace annotation key to match expected format - Add custom logic to populate deprecated ConfigReferent field in ConfigReferences - Properly preserve annotations during v1alpha1 <-> v1beta1 conversion 3. Remove duplicate conversion code: - Deleted pkg/addon/webhook/conversion/ directory (~500 lines) - Now using native conversion functions from the API repository 4. Patch vendored addon-framework: - Fixed GroupVersion errors in agentdeploy utils All unit tests pass successfully (97 packages, 0 failures). Signed-off-by: Qing Hao <qhao@redhat.com> --------- Signed-off-by: Qing Hao <qhao@redhat.com> Co-authored-by: Claude <noreply@anthropic.com>
172 lines
7.3 KiB
YAML
172 lines
7.3 KiB
YAML
---
|
|
# Source: cluster-manager/templates/cluster_role.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: cluster-manager
|
|
rules:
|
|
# Allow the registration-operator to create workload
|
|
- apiGroups: [""]
|
|
resources: ["configmaps", "namespaces", "serviceaccounts", "services"]
|
|
verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"]
|
|
- apiGroups: [""]
|
|
resources: ["serviceaccounts/token"]
|
|
resourceNames:
|
|
- "agent-registration-bootstrap"
|
|
verbs: ["get", "create"]
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get"]
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "list", "watch", "update", "patch", "delete"]
|
|
resourceNames:
|
|
- "signer-secret"
|
|
- "registration-webhook-serving-cert"
|
|
- "work-webhook-serving-cert"
|
|
- "addon-webhook-serving-cert"
|
|
- "registration-controller-sa-kubeconfig"
|
|
- "registration-webhook-sa-kubeconfig"
|
|
- "work-webhook-sa-kubeconfig"
|
|
- "placement-controller-sa-kubeconfig"
|
|
- "work-controller-sa-kubeconfig"
|
|
- "addon-manager-controller-sa-kubeconfig"
|
|
- "addon-webhook-sa-kubeconfig"
|
|
- "external-hub-kubeconfig"
|
|
- "work-driver-config"
|
|
- "open-cluster-management-image-pull-credentials"
|
|
- "grpc-server-serving-cert"
|
|
- "cluster-import-config"
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["create"]
|
|
- apiGroups: ["coordination.k8s.io"]
|
|
resources: ["leases"]
|
|
verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
|
|
- apiGroups: [""]
|
|
resources: ["nodes"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["authorization.k8s.io"]
|
|
resources: ["subjectaccessreviews"]
|
|
verbs: ["create", "get"]
|
|
- apiGroups: ["", "events.k8s.io"]
|
|
resources: ["events"]
|
|
verbs: ["get", "list", "watch", "create", "patch", "update", "delete", "deletecollection"]
|
|
- apiGroups: ["apps"]
|
|
resources: ["deployments"]
|
|
verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
|
|
- apiGroups: ["apps"]
|
|
resources: ["replicasets"]
|
|
verbs: ["get"]
|
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
|
resources: ["clusterrolebindings", "rolebindings"]
|
|
verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
|
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
|
resources: ["clusterroles", "roles"]
|
|
verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
|
|
# Allow the registration-operator to create crds
|
|
- apiGroups: ["apiextensions.k8s.io"]
|
|
resources: ["customresourcedefinitions"]
|
|
verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
|
|
# Allow the registration-operator to update crds status
|
|
- apiGroups: ["apiextensions.k8s.io"]
|
|
resources: ["customresourcedefinitions/status"]
|
|
verbs: ["update", "patch"]
|
|
# Allow the registration-operator to create apiservice
|
|
- apiGroups: ["apiregistration.k8s.io"]
|
|
resources: ["apiservices"]
|
|
verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
|
|
# Allow the registration-operator to create validatingwebhookconfigurration
|
|
- apiGroups: ["admissionregistration.k8s.io"]
|
|
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
|
verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
|
|
# Allow the nuclues to manage clustermanager apis.
|
|
- apiGroups: ["operator.open-cluster-management.io"]
|
|
resources: ["clustermanagers"]
|
|
verbs: ["get", "list", "watch", "update", "delete", "patch"]
|
|
- apiGroups: ["operator.open-cluster-management.io"]
|
|
resources: ["clustermanagers/status"]
|
|
verbs: ["update", "patch"]
|
|
# Allow the registration-operator to create storageversionmigration
|
|
- apiGroups: ["migration.k8s.io"]
|
|
resources: ["storageversionmigrations"]
|
|
verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
|
|
# Some rbac needed in cluster-manager
|
|
- apiGroups: ["addon.open-cluster-management.io"]
|
|
resources: ["managedclusteraddons", "clustermanagementaddons"]
|
|
verbs: ["create", "update", "patch", "get", "list", "watch", "delete"]
|
|
- apiGroups: ["addon.open-cluster-management.io"]
|
|
resources: ["managedclusteraddons/status", "clustermanagementaddons/status"]
|
|
verbs: ["patch", "update"]
|
|
- apiGroups: ["addon.open-cluster-management.io"]
|
|
resources: [managedclusteraddons/finalizers, "clustermanagementaddons/finalizers"]
|
|
verbs: ["update"]
|
|
- apiGroups: ["addon.open-cluster-management.io"]
|
|
resources: [addondeploymentconfigs, "addontemplates"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["authentication.k8s.io"]
|
|
resources: ["tokenreviews"]
|
|
verbs: ["create"]
|
|
- apiGroups: ["certificates.k8s.io"]
|
|
resources: ["certificatesigningrequests"]
|
|
verbs: ["create", "get", "list", "watch"]
|
|
- apiGroups: ["certificates.k8s.io"]
|
|
resources: ["certificatesigningrequests/approval", "certificatesigningrequests/status"]
|
|
verbs: ["update"]
|
|
- apiGroups: ["certificates.k8s.io"]
|
|
resources: ["signers"]
|
|
verbs: ["approve", "sign"]
|
|
# the grpc-sever requires the create permission for bootstrapping a managed cluster
|
|
- apiGroups: ["cluster.open-cluster-management.io"]
|
|
resources: ["managedclusters"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch"]
|
|
- apiGroups: ["cluster.open-cluster-management.io"]
|
|
resources: ["managedclustersetbindings", "placements", "addonplacementscores"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["cluster.open-cluster-management.io"]
|
|
resources: ["managedclustersets","placementdecisions"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
|
- apiGroups: ["cluster.open-cluster-management.io"]
|
|
resources: ["managedclusters/status","managedclustersetbindings/status", "managedclustersets/status", "placements/status", "placementdecisions/status"]
|
|
verbs: ["update", "patch"]
|
|
- apiGroups: ["cluster.open-cluster-management.io"]
|
|
resources: ["placements/finalizers"]
|
|
verbs: ["update"]
|
|
- apiGroups: ["register.open-cluster-management.io"]
|
|
resources: ["managedclusters/clientcertificates"]
|
|
verbs: ["renew"]
|
|
- apiGroups: ["register.open-cluster-management.io"]
|
|
resources: ["managedclusters/accept"]
|
|
verbs: ["update"]
|
|
- apiGroups: ["work.open-cluster-management.io"]
|
|
resources: ["manifestworkreplicasets"]
|
|
verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"]
|
|
- apiGroups: ["work.open-cluster-management.io"]
|
|
resources: ["manifestworkreplicasets/finalizers"]
|
|
verbs: ["update"]
|
|
- apiGroups: ["work.open-cluster-management.io"]
|
|
resources: ["manifestworks"]
|
|
verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch", "execute-as"]
|
|
- apiGroups: ["work.open-cluster-management.io"]
|
|
resources: ["manifestworks/status", "manifestworkreplicasets/status"]
|
|
verbs: ["update", "patch"]
|
|
- apiGroups: ["flowcontrol.apiserver.k8s.io"]
|
|
resources: ["flowschemas", "prioritylevelconfigurations"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["config.openshift.io"]
|
|
resources: ["infrastructures"]
|
|
verbs: ["get"]
|
|
- apiGroups: ["multicluster.x-k8s.io"]
|
|
resources: ["clusterprofiles"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
|
- apiGroups: ["multicluster.x-k8s.io"]
|
|
resources: ["clusterprofiles/status"]
|
|
verbs: ["update", "patch"]
|
|
- apiGroups: [ "cluster.x-k8s.io" ]
|
|
resources: [ "clusters" ]
|
|
verbs: ["get", "list", "watch"]
|
|
# for grpc-sever, the grpc-server need join permission for bootstrapping a managed cluster
|
|
- apiGroups: ["cluster.open-cluster-management.io"]
|
|
resources: ["managedclustersets/join"]
|
|
verbs: ["create"]
|