Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate Bundle Incorrect ClusterPermissions ServiceAccountName #3600

Closed
ricfeatherstone opened this issue Jul 29, 2020 · 1 comment
Closed

Generate Bundle Incorrect ClusterPermissions ServiceAccountName #3600

ricfeatherstone opened this issue Jul 29, 2020 · 1 comment
Assignees
@estroz
Labels
kind/bug Categorizes issue or PR as related to a bug. olm-integration Issue relates to the OLM integration

Comments

@ricfeatherstone
Copy link

Bug Report

Writing an Ansible Operator with namespace and cluster wide permissions, generate bundle appears to create an incorrect CSV file.

Example project

What did you do?

operator-sdk new example-generator-issue-operator --api-version=issue.example.com/v1alpha1 --kind=Example --type=ansible
Add deploy/clusterrole.yaml and deploy/clusterrole_binding.yaml
operator-sdk generate bundle --version 0.0.1

What did you expect to see?

clusterPermissions:
      - rules:
        - apiGroups:
          - authentication.k8s.io
          resources:
          - tokenreviews
          verbs:
          - create
        serviceAccountName: example-generator-issue-operator

What did you see instead?

clusterPermissions:
      - rules:
        - apiGroups:
          - authentication.k8s.io
          resources:
          - tokenreviews
          verbs:
          - create
        serviceAccountName: token-reviewer

Environment

  • operator-sdk version:

operator-sdk version: "v0.19.0", commit: "8e28aca60994c5cb1aec0251b85f0116cc4c9427", kubernetes version: "v1.18.2", go version: "go1.13.10 linux/amd64"
@estroz estroz self-assigned this Jul 29, 2020
@estroz estroz added kind/bug Categorizes issue or PR as related to a bug. olm-integration Issue relates to the OLM integration labels Jul 29, 2020
@estroz estroz mentioned this issue Jul 30, 2020
Merged
2 tasks
estroz pushed a commit that referenced this issue Aug 1, 2020
generate: consider service accounts when generating a CSV (#3610)
3270033 
This commit adds handling for extra RBAC objects present in `generate <bundle|packagemanifests>`
input. These objects will be written to the resulting bundle. For now, only Roles, RoleBindings,
their Cluster equivalents, and ServiceAccounts are written.

This PR also correctly names service account for (cluster) role permissions. These are currently
incorrect because the CSV generator is naively using (cluster) role names instead of actual service
account names. Previously this was ok because the names match the service account, but this is no
longer the case. See #3600.

Old test data has been removed, and a static `basic.operator.yaml` containing the output of
`kustomize build config/manifests` added; the static file's contents match a current project
manifest build.

internal/cmd/operator-sdk/generate: write RBAC objects to stdout or files named with object.Name +
GVK, and rename `--update-crds` to `--update-objects`

internal/generate/{collector/clusterserviceversion}: consider (cluster) role bindings so CSV
generator can assign the correct service account names to roles
@estroz
Copy link
Member

estroz commented Aug 3, 2020

Closed by #3610

@estroz estroz closed this as completed Aug 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@estroz estroz

Labels
kind/bug Categorizes issue or PR as related to a bug. olm-integration Issue relates to the OLM integration
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ricfeatherstone @estroz