Remove role, rolebinding and sa rights

openstack-k8s-operators · Dec 12, 2024 · d6c612d · d6c612d
1 parent da2d883
commit d6c612d
Show file tree

Hide file tree

Showing 5 changed files with 0 additions and 45 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -49,17 +49,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - batch
   resources:
@@ -80,28 +69,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - rolebindings
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - roles
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - security.openshift.io
   resourceNames:

diff --git a/controllers/ansibletest_controller.go b/controllers/ansibletest_controller.go
@@ -54,14 +54,11 @@ func (r *AnsibleTestReconciler) GetLogger(ctx context.Context) logr.Logger {
 // +kubebuilder:rbac:groups=test.openstack.org,namespace=<namespace>,resources=ansibletests/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=batch,namespace=<namespace>,resources=jobs,verbs=get;list;watch;create;patch;update;delete;
 // +kubebuilder:rbac:groups=k8s.cni.cncf.io,namespace=<namespace>,resources=network-attachment-definitions,verbs=get;list;watch
-// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",namespace=<namespace>,resources=roles,verbs=get;list;watch;create;update;patch
-// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",namespace=<namespace>,resources=rolebindings,verbs=get;list;watch;create;update;patch
 // +kubebuilder:rbac:groups="security.openshift.io",namespace=<namespace>,resourceNames=anyuid;privileged;nonroot;nonroot-v2,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups="",resources=secrets,namespace=<namespace>,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=configmaps,namespace=<namespace>,verbs=get;list;watch;create;update;patch;delete;
 // +kubebuilder:rbac:groups="",resources=pods,namespace=<namespace>,verbs=create;delete;get;list;patch;update;watch
 // +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,namespace=<namespace>,verbs=get;list;create;update;watch;patch;delete
-// +kubebuilder:rbac:groups="",resources=serviceaccounts,namespace=<namespace>,verbs=get;list;watch;create;update;patch
 
 // Reconcile - AnsibleTest
 func (r *AnsibleTestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {

diff --git a/controllers/horizontest_controller.go b/controllers/horizontest_controller.go
@@ -51,14 +51,11 @@ func (r *HorizonTestReconciler) GetLogger(ctx context.Context) logr.Logger {
 // +kubebuilder:rbac:groups=test.openstack.org,namespace=<namespace>,resources=horizontests/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=batch,namespace=<namespace>,resources=jobs,verbs=get;list;watch;create;patch;update;delete;
 // +kubebuilder:rbac:groups=k8s.cni.cncf.io,namespace=<namespace>,resources=network-attachment-definitions,verbs=get;list;watch
-// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",namespace=<namespace>,resources=roles,verbs=get;list;watch;create;update;patch
-// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",namespace=<namespace>,resources=rolebindings,verbs=get;list;watch;create;update;patch
 // +kubebuilder:rbac:groups="security.openshift.io",namespace=<namespace>,resourceNames=anyuid;privileged;nonroot;nonroot-v2,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups="",resources=secrets,namespace=<namespace>,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=configmaps,namespace=<namespace>,verbs=get;list;watch;create;update;patch;delete;
 // +kubebuilder:rbac:groups="",resources=pods,namespace=<namespace>,verbs=create;delete;get;list;patch;update;watch
 // +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,namespace=<namespace>,verbs=get;list;create;update;watch;patch;delete
-// +kubebuilder:rbac:groups="",resources=serviceaccounts,namespace=<namespace>,verbs=get;list;watch;create;update;patch
 
 // Reconcile - HorizonTest
 func (r *HorizonTestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {

diff --git a/controllers/tempest_controller.go b/controllers/tempest_controller.go
@@ -56,14 +56,11 @@ func (r *TempestReconciler) GetLogger(ctx context.Context) logr.Logger {
 // +kubebuilder:rbac:groups=test.openstack.org,namespace=<namespace>,resources=tempests/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=batch,resources=jobs,namespace=<namespace>,verbs=get;list;watch;create;patch;update;delete;
 // +kubebuilder:rbac:groups=k8s.cni.cncf.io,namespace=<namespace>,resources=network-attachment-definitions,verbs=get;list;watch
-// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",namespace=<namespace>,resources=roles,verbs=get;list;watch;create;update;patch
-// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",namespace=<namespace>,resources=rolebindings,verbs=get;list;watch;create;update;patch
 // +kubebuilder:rbac:groups="security.openshift.io",namespace=<namespace>,resourceNames=anyuid;privileged;nonroot;nonroot-v2,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups="",resources=secrets,namespace=<namespace>,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=configmaps,namespace=<namespace>,verbs=get;list;watch;create;update;patch;delete;
 // +kubebuilder:rbac:groups="",resources=pods,namespace=<namespace>,verbs=create;delete;get;list;patch;update;watch
 // +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,namespace=<namespace>,verbs=get;list;create;update;watch;patch;delete
-// +kubebuilder:rbac:groups="",resources=serviceaccounts,namespace=<namespace>,verbs=get;list;watch;create;update;patch
 
 // Reconcile - Tempest
 func (r *TempestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {

diff --git a/controllers/tobiko_controller.go b/controllers/tobiko_controller.go
@@ -57,14 +57,11 @@ func (r *TobikoReconciler) GetLogger(ctx context.Context) logr.Logger {
 // +kubebuilder:rbac:groups=test.openstack.org,namespace=<namespace>,resources=tobikoes/finalizers,verbs=update;patch
 // +kubebuilder:rbac:groups=batch,namespace=<namespace>,resources=jobs,verbs=get;list;watch;create;patch;update;delete;
 // +kubebuilder:rbac:groups=k8s.cni.cncf.io,namespace=<namespace>,resources=network-attachment-definitions,verbs=get;list;watch
-// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",namespace=<namespace>,resources=roles,verbs=get;list;watch;create;update;patch
-// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",namespace=<namespace>,resources=rolebindings,verbs=get;list;watch;create;update;patch
 // +kubebuilder:rbac:groups="security.openshift.io",namespace=<namespace>,resourceNames=anyuid;privileged;nonroot;nonroot-v2,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups="",namespace=<namespace>,resources=secrets,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",namespace=<namespace>,resources=configmaps,verbs=get;list;watch;create;update;patch;delete;
 // +kubebuilder:rbac:groups="",namespace=<namespace>,resources=pods,verbs=create;delete;get;list;patch;update;watch
 // +kubebuilder:rbac:groups="",namespace=<namespace>,resources=persistentvolumeclaims,verbs=get;list;create;update;watch;patch;delete
-// +kubebuilder:rbac:groups="",namespace=<namespace>,resources=serviceaccounts,verbs=get;list;watch;create;update;patch
 
 // Reconcile - Tobiko
 func (r *TobikoReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {