Updating RBAC for Controller

Signed-off-by: ytimocin <[email protected]>
radius-project · Dec 8, 2023 · 560b3fd · 560b3fd
1 parent 03ae959
commit 560b3fd
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 39 deletions.
diff --git a/.github/workflows/long-running-azure.yaml b/.github/workflows/long-running-azure.yaml
@@ -4,7 +4,7 @@
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#    
+#
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
@@ -17,21 +17,21 @@
 # This workflow performs functional tests every an hour on a pre-provisioned
 # AKS (Azure Kubernetes Service) cluster.
 #
-# There are two types of tests in Radius: functional-test and e2e-azure-test. 
-# 'functional-test' checks the functionality of our application using a local 
-# Kubernetes cluster (kind), while 'e2e-azure-test' is executed on an AKS cluster 
-# focusing on performance and reliability. 
+# There are two types of tests in Radius: functional-test and e2e-azure-test.
+# 'functional-test' checks the functionality of our application using a local
+# Kubernetes cluster (kind), while 'e2e-azure-test' is executed on an AKS cluster
+# focusing on performance and reliability.
 #
-# The test AKS cluster is pre-provisioned with various monitoring tools using the 
-# Bicep template in /test/infra/azure. Additionally, this cluster has a 
-# monitoring and alerting system in place, configured to notify the team of any 
+# The test AKS cluster is pre-provisioned with various monitoring tools using the
+# Bicep template in /test/infra/azure. Additionally, this cluster has a
+# monitoring and alerting system in place, configured to notify the team of any
 # abnormalities during the test.
 #
-# It's also important to note that this workflow does not build the Radius in every 
-# run. Instead, Radius CLI and container images are built from the main branch every 
-# 12 hours. We leverage the GitHub Actions cache to store the 'rad cli' and test 
-# information. On workflow initiation, it checks the last build time to determine if 
-# the previous build is still valid. If valid, the workflow skips the build steps 
+# It's also important to note that this workflow does not build the Radius in every
+# run. Instead, Radius CLI and container images are built from the main branch every
+# 12 hours. We leverage the GitHub Actions cache to store the 'rad cli' and test
+# information. On workflow initiation, it checks the last build time to determine if
+# the previous build is still valid. If valid, the workflow skips the build steps
 # and uses the cached 'rad cli' for testing.
 #
 # Grafana dashboard URL: https://radiuse2e00-dashboard-audycmffgberbghy.wus3.grafana.azure.com/
@@ -45,11 +45,11 @@ on:
     branches:
       - main
     paths:
-      - '.github/workflows/long-running-azure.yaml'
+      - ".github/workflows/long-running-azure.yaml"
 
 env:
   # Go version
-  GOVER: '^1.21'
+  GOVER: "^1.21"
   GOPROXY: https://proxy.golang.org
 
   # gotestsum version - see: https://github.com/gotestyourself/gotestsum
@@ -68,17 +68,18 @@ env:
   # The Radius helm chart location.
   RADIUS_CHART_LOCATION: deploy/Chart/
   # The region for AWS resources
-  AWS_REGION: 'us-west-2'
+  AWS_REGION: "us-west-2"
   # The AWS account ID
-  AWS_ACCOUNT_ID: '${{ secrets.FUNCTEST_AWS_ACCOUNT_ID }}'
+  AWS_ACCOUNT_ID: "${{ secrets.FUNCTEST_AWS_ACCOUNT_ID }}"
 
   # The valid radius build time window in seconds to rebuild radius. 24 hours = 24 * 60 * 60 = 86400
   VALID_RADIUS_BUILD_WINDOW: 86400
 
   # The AKS cluster name
-  AKS_CLUSTER_NAME: 'radiuse2e00-aks'
+  AKS_CLUSTER_NAME: "radiuse2e00-aks"
   # The resource group for AKS_CLUSTER_NAME resource.
-  AKS_RESOURCE_GROUP: 'radiuse2e00'
+  AKS_RESOURCE_GROUP:
+    "radiuse2e00"
 
     # Server where terraform test modules are deployed
   TF_RECIPE_MODULE_SERVER_URL: "http://tf-module-server.radius-test-tf-module-server.svc.cluster.local"
@@ -123,9 +124,9 @@ jobs:
       - name: Set up checkout target (pull_request)
         if: steps.skip-build.outputs.SKIP_BUILD != 'true' && github.event_name == 'pull_request'
         run: |
-            echo "CHECKOUT_REPO=${{ github.event.pull_request.head.repo.full_name }}" >> $GITHUB_ENV
-            echo "CHECKOUT_REF=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
-            echo "PR_NUMBER=${{ github.event.pull_request.number }}" >> $GITHUB_ENV
+          echo "CHECKOUT_REPO=${{ github.event.pull_request.head.repo.full_name }}" >> $GITHUB_ENV
+          echo "CHECKOUT_REF=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
+          echo "PR_NUMBER=${{ github.event.pull_request.number }}" >> $GITHUB_ENV
       - name: Generate ID for release
         id: gen-id
         run: |
@@ -151,18 +152,18 @@ jobs:
             echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
           fi
       - name: Check out code
-        if: steps.skip-build.outputs.SKIP_BUILD != 'true' 
+        if: steps.skip-build.outputs.SKIP_BUILD != 'true'
         uses: actions/checkout@v3
         with:
           repository: ${{ env.CHECKOUT_REPO }}
           ref: ${{ env.CHECKOUT_REF }}
       - name: Set up Go ${{ env.GOVER }}
-        if: steps.skip-build.outputs.SKIP_BUILD != 'true' 
+        if: steps.skip-build.outputs.SKIP_BUILD != 'true'
         uses: actions/setup-go@v4
         with:
           go-version: ${{ env.GOVER }}
       - name: Log the summary of build info for new version.
-        if: steps.skip-build.outputs.SKIP_BUILD != 'true' 
+        if: steps.skip-build.outputs.SKIP_BUILD != 'true'
         continue-on-error: true
         run: |
           cat <<EOF > summary.md
@@ -186,15 +187,15 @@ jobs:
           * ucp test image location: `${{ env.CONTAINER_REGISTRY }}/ucpd:${{ steps.gen-id.outputs.REL_VERSION }}`
 
           </details>
-          
+
           ## Test Status
           EOF
           cat summary.md >> $GITHUB_STEP_SUMMARY
       - name: Setup Azure CLI
-        if: steps.skip-build.outputs.SKIP_BUILD != 'true' 
+        if: steps.skip-build.outputs.SKIP_BUILD != 'true'
         run: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
       - name: Login to Azure
-        if: steps.skip-build.outputs.SKIP_BUILD != 'true' 
+        if: steps.skip-build.outputs.SKIP_BUILD != 'true'
         uses: azure/login@v1
         with:
           creds: '{"clientId":"${{ secrets.INTEGRATION_TEST_SP_APP_ID }}","clientSecret":"${{ secrets.INTEGRATION_TEST_SP_PASSWORD }}","subscriptionId":"${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.INTEGRATION_TEST_TENANT_ID }}"}'
@@ -205,14 +206,14 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and Push container images
-        if: steps.skip-build.outputs.SKIP_BUILD != 'true' 
+        if: steps.skip-build.outputs.SKIP_BUILD != 'true'
         run: |
           make build && make docker-build && make docker-push
         env:
           DOCKER_REGISTRY: ${{ env.CONTAINER_REGISTRY }}
           DOCKER_TAG_VERSION: ${{ env.REL_VERSION }}
       - name: Upload CLI binary
-        if: steps.skip-build.outputs.SKIP_BUILD != 'true' 
+        if: steps.skip-build.outputs.SKIP_BUILD != 'true'
         uses: actions/upload-artifact@v3
         with:
           name: ${{ steps.gen-id.outputs.RAD_CLI_ARTIFACT_NAME }}

diff --git a/deploy/Chart/templates/controller/rbac.yaml b/deploy/Chart/templates/controller/rbac.yaml
@@ -36,16 +36,9 @@ rules:
 - apiGroups:
   - radapp.io
   resources:
-  - recipes
-  - recipes/status
+  - '*'
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
+  - '*'
 - apiGroups:
   - api.ucp.dev
   resources: