refactor ovn clusterrole (#3755)

Signed-off-by: 马洪贞 <hzma@alauda.io>
kubeovn · Feb 26, 2024 · b5f7a63 · b5f7a63
1 parent 76ea1c1
commit b5f7a63
Show file tree

Hide file tree

Showing 3 changed files with 153 additions and 78 deletions.
diff --git a/charts/kube-ovn/templates/ovn-CR.yaml b/charts/kube-ovn/templates/ovn-CR.yaml
@@ -54,17 +54,28 @@ rules:
       - ""
     resources:
       - pods
-      - pods/exec
       - namespaces
-      - nodes
-      - configmaps
     verbs:
-      - create
       - get
       - list
+      - patch
       - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
       - patch
       - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods/exec
+    verbs:
+      - create
   - apiGroups:
       - "k8s.cni.cncf.io"
     resources:
@@ -74,40 +85,53 @@ rules:
   - apiGroups:
       - ""
       - networking.k8s.io
-      - apps
     resources:
       - networkpolicies
-      - daemonsets
+      - configmaps
     verbs:
       - get
       - list
       - watch
   - apiGroups:
-      - ""
       - apps
     resources:
+      - daemonsets
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
       - services/status
     verbs:
+      - get
+      - list
       - update
+      - create
+      - delete
+      - watch
   - apiGroups:
       - ""
-      - networking.k8s.io
-      - apps
-      - extensions
     resources:
-      - services
       - endpoints
+    verbs:
+      - create
+      - update
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
       - statefulsets
       - deployments
       - deployments/scale
     verbs:
+      - get
+      - list
       - create
       - delete
       - update
-      - patch
-      - get
-      - list
-      - watch
   - apiGroups:
       - ""
     resources:
@@ -148,8 +172,6 @@ rules:
       - patch
   - apiGroups:
       - ""
-      - networking.k8s.io
-      - apps
     resources:
       - services
       - endpoints
@@ -173,29 +195,34 @@ metadata:
 rules:
   - apiGroups:
       - "kubeovn.io"
+      - ""
     resources:
       - subnets
       - provider-networks
-      - ovn-eips
-      - ovn-eips/status
-      - ips
+      - pods
     verbs:
       - get
       - list
-      - patch
-      - update
       - watch
   - apiGroups:
       - ""
+      - "kubeovn.io"
     resources:
-      - pods
+      - ovn-eips
+      - ovn-eips/status
       - nodes
-      - configmaps
     verbs:
       - get
       - list
       - patch
       - watch
+  - apiGroups:
+      - "kubeovn.io"
+    resources:
+      - ips
+    verbs:
+      - get
+      - update
   - apiGroups:
       - ""
     resources:
@@ -222,8 +249,6 @@ rules:
       - get
       - list
   - apiGroups:
-      - ""
-      - networking.k8s.io
       - apps
     resources:
       - daemonsets

diff --git a/dist/images/install.sh b/dist/images/install.sh
@@ -2831,8 +2831,6 @@ rules:
       - patch
   - apiGroups:
       - ""
-      - networking.k8s.io
-      - apps
     resources:
       - services
       - endpoints
@@ -2923,17 +2921,28 @@ rules:
       - ""
     resources:
       - pods
-      - pods/exec
       - namespaces
-      - nodes
-      - configmaps
     verbs:
-      - create
       - get
       - list
+      - patch
       - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
       - patch
       - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods/exec
+    verbs:
+      - create
   - apiGroups:
       - "k8s.cni.cncf.io"
     resources:
@@ -2943,40 +2952,53 @@ rules:
   - apiGroups:
       - ""
       - networking.k8s.io
-      - apps
     resources:
       - networkpolicies
-      - daemonsets
+      - configmaps
     verbs:
       - get
       - list
       - watch
   - apiGroups:
-      - ""
       - apps
     resources:
+      - daemonsets
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
       - services/status
     verbs:
+      - get
+      - list
       - update
+      - create
+      - delete
+      - watch
   - apiGroups:
       - ""
-      - networking.k8s.io
-      - apps
-      - extensions
     resources:
-      - services
       - endpoints
+    verbs:
+      - create
+      - update
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
       - statefulsets
       - deployments
       - deployments/scale
     verbs:
+      - get
+      - list
       - create
       - delete
       - update
-      - patch
-      - get
-      - list
-      - watch
   - apiGroups:
       - ""
     resources:
@@ -3031,29 +3053,34 @@ metadata:
 rules:
   - apiGroups:
       - "kubeovn.io"
+      - ""
     resources:
       - subnets
       - provider-networks
-      - ovn-eips
-      - ovn-eips/status
-      - ips
+      - pods
     verbs:
       - get
       - list
-      - patch
-      - update
       - watch
   - apiGroups:
       - ""
+      - "kubeovn.io"
     resources:
-      - pods
+      - ovn-eips
+      - ovn-eips/status
       - nodes
-      - configmaps
     verbs:
       - get
       - list
       - patch
       - watch
+  - apiGroups:
+      - "kubeovn.io"
+    resources:
+      - ips
+    verbs:
+      - get
+      - update
   - apiGroups:
       - ""
     resources:
@@ -3101,8 +3128,6 @@ rules:
       - get
       - list
   - apiGroups:
-      - ""
-      - networking.k8s.io
       - apps
     resources:
       - daemonsets