Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce the permissions for milvus-operator-manager-role #268

Merged
merged 1 commit into from
Feb 20, 2025
Merged

Reduce the permissions for milvus-operator-manager-role #268

merged 1 commit into from
Feb 20, 2025

Conversation

git001
Copy link
Contributor

@git001 git001 commented Feb 19, 2025

based on #266 reduce this PR the permission for the milvus-operator-manager-role

@sre-ci-robot
Copy link
Collaborator

Welcome @git001! It looks like this is your first PR to zilliztech/milvus-operator 🎉

@git001 git001 force-pushed the 2025-02-19_Reduce-permissions branch from 22d53dd to 1a54229 Compare February 19, 2025 10:32
@haorenfsa
Copy link
Collaborator

/approve

@codecov Codecov
Copy link

codecov bot commented Feb 19, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 76.91%. Comparing base (47c2023) to head (1a54229).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #268   +/-   ##
=======================================
  Coverage   76.91%   76.91%           
=======================================
  Files          64       64           
  Lines        6713     6713           
=======================================
  Hits         5163     5163           
  Misses       1347     1347           
  Partials      203      203

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@haorenfsa
Copy link
Collaborator

It's generated through comments here:

milvus-operator/pkg/controllers/milvus_controller.go

Lines 58 to 82 in 47c2023

//+kubebuilder:rbac:groups=milvus.io,resources=milvuses,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=milvus.io,resources=milvuses/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=milvus.io,resources=milvuses/finalizers,verbs=update
//+kubebuilder:rbac:groups=apps,resources="*",verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups="",resources="*",verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups="policy",resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups="policy",resources=podsecuritypolicies,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=roles,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=clusterroles,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups="networking.k8s.io",resources=ingresses,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups="monitoring.coreos.com",resources=servicemonitors;podmonitors,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=list;get;watch
//+kubebuilder:rbac:groups=extensions,resources=statefulsets;deployments;pods;secrets;services,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=extensions,resources=ingresses,verbs=get;list;watch;create;update;patch;delete
// Reconcile is part of the main kubernetes reconciliation loop which aims to
// move the current state of the cluster closer to the desired state.
//
// For more details, check Reconcile and its Result here:
// - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcile
func (r *MilvusReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {

If it is convenient, you can modify line 64 and then generate the changes with make deploy-manifests

@git001
Copy link
Contributor Author

git001 commented Feb 19, 2025

If it is convenient, you can modify line 64 and then generate the changes with make deploy-manifests

Done.

alex@alex-tuxedoinfinitybooks1517gen7 on 19/02/2025 at 13:01:08_CET /datadisk/git-repos/milvus-operator $
# git diff pkg/controllers/milvus_controller.go
diff --git a/pkg/controllers/milvus_controller.go b/pkg/controllers/milvus_controller.go
index 5639b00..2963f55 100644
--- a/pkg/controllers/milvus_controller.go
+++ b/pkg/controllers/milvus_controller.go
@@ -61,7 +61,7 @@ type MilvusReconciler struct {
 //+kubebuilder:rbac:groups=milvus.io,resources=milvuses/finalizers,verbs=update
 //+kubebuilder:rbac:groups=apps,resources="*",verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups="",resources="*",verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",resources=pods;pods/exec;configmaps;secrets;services,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups="policy",resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups="policy",resources=podsecuritypolicies,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
alex@alex-tuxedoinfinitybooks1517gen7 on 19/02/2025 at 13:01:14_CET /datadisk/git-repos/milvus-operator $
#

The role yaml

alex@alex-tuxedoinfinitybooks1517gen7 on 19/02/2025 at 13:01:14_CET /datadisk/git-repos/milvus-operator $
# git diff config/rbac/role.yaml
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 3298c5a..a1329d7 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -7,7 +7,11 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - '*'
+  - configmaps
+  - pods
+  - pods/exec
+  - secrets
+  - services
   verbs:
   - create
   - delete

But at make stage looks like there is somewhere an issue.

alex@alex-tuxedoinfinitybooks1517gen7 on 19/02/2025 at 12:59:05_CET /datadisk/git-repos/milvus-operator $
# make deploy-manifests
/datadisk/git-repos/milvus-operator/bin/controller-gen "crd:maxDescLen=0" rbac:roleName=manager-role  webhook paths="./..." output:crd:artifacts:config=config/crd/bases
go: creating new go.mod: module tmp
Downloading sigs.k8s.io/kustomize/kustomize/[email protected]
go: sigs.k8s.io/kustomize/kustomize/[email protected] (in sigs.k8s.io/kustomize/kustomize/[email protected]):
	The go.mod file for the module providing named packages contains one or
	more exclude directives. It must not contain directives that would cause
	it to be interpreted differently than if it were the main module.
make: *** [Makefile:221: kustomize] Error 1

@haorenfsa
Copy link
Collaborator

@git001 Thank you! I'll take care of the rest

@haorenfsa
Copy link
Collaborator

/lgtm

@sre-ci-robot sre-ci-robot added the lgtm looks good to merge label Feb 20, 2025
@sre-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: git001, haorenfsa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sre-ci-robot sre-ci-robot merged commit 179ea3a into zilliztech:main Feb 20, 2025
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haorenfsa haorenfsa haorenfsa approved these changes

@LoveEachDay LoveEachDay Awaiting requested review from LoveEachDay

Assignees

@haorenfsa haorenfsa

Labels
approved ci-passed lgtm looks good to merge size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@git001 @sre-ci-robot @haorenfsa