Add Cluster Roles and Rolebindings to Operator Deployment

Signed-off-by: Anish Asthana <anishasthana1@gmail.com>

Author: anishasthana

config/internal/mcad/clusterrole_custom-metrics-server-resources.yaml renamed to config/internal/mcad/clusterrole_custom-metrics-server-admin.yaml.tmpl

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: custom-metrics-server-resources
+  name: {{.Name}}-mcad-custom-metrics-server-admin-role
 rules:
   - apiGroups:
       - custom.metrics.k8s.io

config/internal/mcad/clusterrole_system-controller-xqueuejob-controller.yaml renamed to config/internal/mcad/clusterrole_mcad-controller.yaml.tmpl

@@ -3,14 +3,13 @@ kind: ClusterRole
 metadata:
   annotations:
     rbac.authorization.kubernetes.io/autoupdate: "true"
-  name: system:controller:xqueuejob-controller
+  name: {{.Name}}-mcad-controller-role
   labels:
     kubernetes.io/bootstrapping: rbac-defaults
 rules:
   - apiGroups:
       - mcad.ibm.com
     resources:
-      - xqueuejobs
       - queuejobs
       - schedulingspecs
       - appwrappers
@@ -30,6 +29,7 @@ rules:
     resources:
       - persistentvolumes
       - namespaces
+      - lists
     verbs:
       - create
       - delete
@@ -39,12 +39,10 @@ rules:
       - patch
       - update
       - watch
-  # {{ if .Values.quotaManagement.rbac.apiGroup }}
-  # {{ if .Values.quotaManagement.rbac.resource }}
   - apiGroups:
-      - {{.Values.quotaManagement.rbac.apiGroup}}
+      - scheduling.sigs.k8s.io
     resources:
-      - {{.Values.quotaManagement.rbac.resource}}
+      - podgroups
     verbs:
       - get
       - list
@@ -53,21 +51,3 @@ rules:
       - update
       - patch
       - delete
-  # {{ end }}
-  # {{ end }}
-  # {{ if .Values.coscheduler.rbac.apiGroup }}
-  # {{ if .Values.coscheduler.rbac.resource }}
-  - apiGroups:
-      - {{.Values.coscheduler.rbac.apiGroup}}
-    resources:
-      - {{.Values.coscheduler.rbac.resource}}
-    verbs:
-      - get
-      - list
-      - watch
-      - create
-      - update
-      - patch
-      - delete
-# {{ end }}
-# {{ end }}

config/internal/mcad/clusterrole_metrics-resource-reader.yaml renamed to config/internal/mcad/clusterrole_metrics-resource-reader.yaml.tmpl

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: custom-metrics-resource-reader
+  name: {{.Name}}-mcad-metrics-resource-reader-role
 rules:
   - apiGroups:
       - ""

config/internal/mcad/clusterrolebinding_hpa-controller-custom-metrics.yaml renamed to config/internal/mcad/clusterrolebinding_hpa-controller-custom-metrics.yaml.tmpl

@@ -5,8 +5,8 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: custom-metrics-server-resources
+  name: {{.Name}}-mcad-custom-metrics-server-admin-role
 subjects:
   - kind: ServiceAccount
     name: horizontal-pod-autoscaler
-    namespace: {{.Namespace}}
+    namespace: kube-system

config/internal/mcad/clusterrolebinding_system-controller-xqueuejob-controller-kube-scheduler.yaml renamed to config/internal/mcad/clusterrolebinding_mcad-controller-kube-scheduler.yaml.tmpl

@@ -1,17 +1,16 @@
-# {{ if .Values.serviceAccount }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   annotations:
     rbac.authorization.kubernetes.io/autoupdate: "true"
   labels:
     kubernetes.io/bootstrapping: rbac-defaults
-  name: system:controller:xqueuejob-controller-kube-scheduler
+  name: {{.Name}}-mcad-controller-kube-scheduler-crb
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: system:kube-scheduler
 subjects:
   - kind: ServiceAccount
-    name: {{.Values.serviceAccount}}
-    namespace: kube-system
+    name: mcad-controller-{{.Name}}
+    namespace: {{.Namespace}}

config/internal/mcad/clusterrolebinding_system-controller-xqueuejob-controller.yaml renamed to config/internal/mcad/clusterrolebinding_mcad-controller.yaml.tmpl

@@ -1,17 +1,16 @@
-# {{ if .Values.serviceAccount }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   annotations:
     rbac.authorization.kubernetes.io/autoupdate: "true"
   labels:
     kubernetes.io/bootstrapping: rbac-defaults
-  name: system:controller:xqueuejob-controller
+  name: {{.Name}}-mcad-controller-crb
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: system:controller:xqueuejob-controller
+  name: {{.Name}}-mcad-controller-role
 subjects:
   - kind: ServiceAccount
-    name: {{.Values.serviceAccount}}
-    namespace: kube-system
+    name: mcad-controller-{{.Name}}
+    namespace: {{.Namespace}}

config/internal/mcad/clusterrolebinding_system-controller-xqueuejob-controller-edit.yaml renamed to config/internal/mcad/clusterrolebinding_mcad-edit.yaml.tmpl

@@ -1,17 +1,16 @@
-# {{ if .Values.serviceAccount }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   annotations:
     rbac.authorization.kubernetes.io/autoupdate: "true"
   labels:
     kubernetes.io/bootstrapping: rbac-defaults
-  name: system:controller:xqueuejob-controller-edit
+  name: {{.Name}}-mcad-edit-crb
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: edit
 subjects:
   - kind: ServiceAccount
-    name: {{.Values.serviceAccount}}
-    namespace: kube-system
+    name: mcad-controller-{{.Name}}
+    namespace: {{.Namespace}}

config/internal/mcad/clusterrolebinding_custom-metrics-system-auth-delegator.yaml renamed to config/internal/mcad/clusterrolebinding_mcad-system-auth-delegator.yaml.tmpl

@@ -1,13 +1,12 @@
-# {{ if .Values.serviceAccount }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: custom-metrics:system:auth-delegator
+  name: {{.Name}}-mcad-system:auth-delegator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: system:auth-delegator
 subjects:
   - kind: ServiceAccount
-    name: {{.Values.serviceAccount}}
-    namespace: kube-system
+    name: mcad-controller-{{.Name}}
+    namespace: {{.Namespace}}

config/internal/mcad/clusterrolebinding_custom-metrics-resource-reader.yaml renamed to config/internal/mcad/clusterrolebinding_metrics-resource-reader.yaml.tmpl

@@ -1,13 +1,12 @@
-# {{ if .Values.serviceAccount }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: custom-metrics-resource-reader
+  name: {{.Name}}-mcad-metrics-resource-reader-crb
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: custom-metrics-resource-reader
+  name: {{.Name}}-mcad-metrics-resource-reader-role
 subjects:
   - kind: ServiceAccount
-    name: {{.Values.serviceAccount}}
-    namespace: kube-system
+    name: mcad-controller-{{.Name}}
+    namespace: {{.Namespace}}

config/rbac/edit_role_binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: manager-edit-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: edit
+subjects:
+  - kind: ServiceAccount
+    name: controller-manager
+    namespace: system

config/rbac/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
 - service_account.yaml
 - role.yaml
 - role_binding.yaml
+- edit_role_binding.yaml  # We are using this binding as mcad requires this role
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
 # Comment the following 4 lines if you want to disable