From c6649a2b24f6d93c0fbae52ce25b08bbf3e5391e Mon Sep 17 00:00:00 2001 From: Michal Pryc Date: Mon, 8 Dec 2025 15:45:17 +0100 Subject: [PATCH] Updated rbac based on the vmfr project Updated CRDs based on the: https://github.com/migtools/oadp-vm-file-restore/pull/54 Signed-off-by: Michal Pryc --- Makefile | 28 ++++ .../controller-manager_v1_serviceaccount.yaml | 8 + ...ole_rbac.authorization.k8s.io_v1_role.yaml | 40 +++++ ...c.authorization.k8s.io_v1_rolebinding.yaml | 16 ++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 142 ++++++++++++++++++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 10 ++ .../oadp-operator.clusterserviceversion.yaml | 95 ++++++++++-- ...c.authorization.k8s.io_v1_clusterrole.yaml | 10 ++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 21 +++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 27 ++++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 23 +++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 21 +++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 27 ++++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 23 +++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 21 +++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 27 ++++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 23 +++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 21 +++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 27 ++++ ...c.authorization.k8s.io_v1_clusterrole.yaml | 23 +++ config/samples/kustomization.yaml | 2 + ...alpha1_virtualmachinebackupsdiscovery.yaml | 15 ++ ...dp_v1alpha1_virtualmachinefilerestore.yaml | 9 ++ .../kustomization.yaml | 23 +++ .../leader_election_role.yaml | 40 +++++ .../leader_election_role_binding.yaml | 15 ++ .../metrics_auth_role.yaml | 17 +++ .../metrics_auth_role_binding.yaml | 12 ++ .../metrics_reader_role.yaml | 9 ++ .../vm-file-restore-controller_rbac/role.yaml | 23 ++- .../role_binding.yaml | 12 +- .../service_account.yaml | 8 +- ...ualmachinebackupsdiscovery_admin_role.yaml | 27 ++++ ...almachinebackupsdiscovery_editor_role.yaml | 33 ++++ ...almachinebackupsdiscovery_viewer_role.yaml | 29 ++++ .../virtualmachinefilerestore_admin_role.yaml | 27 ++++ ...virtualmachinefilerestore_editor_role.yaml | 33 ++++ ...virtualmachinefilerestore_viewer_role.yaml | 29 ++++ 38 files changed, 955 insertions(+), 41 deletions(-) create mode 100644 bundle/manifests/controller-manager_v1_serviceaccount.yaml create mode 100644 bundle/manifests/leader-election-role_rbac.authorization.k8s.io_v1_role.yaml create mode 100644 bundle/manifests/leader-election-rolebinding_rbac.authorization.k8s.io_v1_rolebinding.yaml create mode 100644 bundle/manifests/manager-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/oadp-vm-file-restore-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/oadp-vm-file-restore-virtualmachinebackupsdiscovery-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/oadp-vm-file-restore-virtualmachinebackupsdiscovery-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/oadp-vm-file-restore-virtualmachinebackupsdiscovery-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/oadp-vm-file-restore-virtualmachinefilerestore-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/oadp-vm-file-restore-virtualmachinefilerestore-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/oadp-vm-file-restore-virtualmachinefilerestore-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/virtualmachinebackupsdiscovery-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/virtualmachinebackupsdiscovery-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/virtualmachinebackupsdiscovery-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/virtualmachinefilerestore-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/virtualmachinefilerestore-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 bundle/manifests/virtualmachinefilerestore-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml create mode 100644 config/samples/oadp_v1alpha1_virtualmachinebackupsdiscovery.yaml create mode 100644 config/samples/oadp_v1alpha1_virtualmachinefilerestore.yaml create mode 100644 config/vm-file-restore-controller_rbac/leader_election_role.yaml create mode 100644 config/vm-file-restore-controller_rbac/leader_election_role_binding.yaml create mode 100644 config/vm-file-restore-controller_rbac/metrics_auth_role.yaml create mode 100644 config/vm-file-restore-controller_rbac/metrics_auth_role_binding.yaml create mode 100644 config/vm-file-restore-controller_rbac/metrics_reader_role.yaml create mode 100644 config/vm-file-restore-controller_rbac/virtualmachinebackupsdiscovery_admin_role.yaml create mode 100644 config/vm-file-restore-controller_rbac/virtualmachinebackupsdiscovery_editor_role.yaml create mode 100644 config/vm-file-restore-controller_rbac/virtualmachinebackupsdiscovery_viewer_role.yaml create mode 100644 config/vm-file-restore-controller_rbac/virtualmachinefilerestore_admin_role.yaml create mode 100644 config/vm-file-restore-controller_rbac/virtualmachinefilerestore_editor_role.yaml create mode 100644 config/vm-file-restore-controller_rbac/virtualmachinefilerestore_viewer_role.yaml diff --git a/Makefile b/Makefile index 230e444e19..259cd996bd 100644 --- a/Makefile +++ b/Makefile @@ -907,6 +907,34 @@ endif $(SED) -i "s%resources:%resources:\n- $$file_name%" $(shell pwd)/config/samples/kustomization.yaml;done @make bundle +.PHONY: update-vmfr-manifests +update-vmfr-manifests: VMFR_CONTROLLER_IMG?=quay.io/konveyor/oadp-vm-file-restore:latest +update-vmfr-manifests: VMFR_ACCESS_IMG?=quay.io/konveyor/oadp-vmfr-access:latest +update-vmfr-manifests: VMFR_SSH_IMG?=quay.io/konveyor/oadp-vmfr-access-sshd:latest +update-vmfr-manifests: VMFR_BROWSER_IMG?=quay.io/konveyor/oadp-vmfr-access-filebrowser:latest +update-vmfr-manifests: yq ## Update VM File Restore (VMFR) manifests shipped with OADP, from VMFR_CONTROLLER_PATH +ifeq ($(VMFR_CONTROLLER_PATH),) + $(error You must set VMFR_CONTROLLER_PATH to run this command) +endif + @for file_name in $(shell ls $(VMFR_CONTROLLER_PATH)/config/crd/bases);do \ + cp $(VMFR_CONTROLLER_PATH)/config/crd/bases/$$file_name $(shell pwd)/config/crd/bases/$$file_name && \ + grep -q "\- bases/$$file_name" $(shell pwd)/config/crd/kustomization.yaml || \ + $(SED) -i "s%resources:%resources:\n- bases/$$file_name%" $(shell pwd)/config/crd/kustomization.yaml;done + $(YQ) -i 'select(.kind == "Deployment")|= .spec.template.spec.containers[0].env |= .[] |= select(.name == "RELATED_IMAGE_VM_FILE_RESTORE_CONTROLLER") |= .value="$(VMFR_CONTROLLER_IMG)"' config/manager/manager.yaml + $(YQ) -i 'select(.kind == "Deployment")|= .spec.template.spec.containers[0].env |= .[] |= select(.name == "RELATED_IMAGE_VM_FILE_RESTORE_ACCESS") |= .value="$(VMFR_ACCESS_IMG)"' config/manager/manager.yaml + $(YQ) -i 'select(.kind == "Deployment")|= .spec.template.spec.containers[0].env |= .[] |= select(.name == "RELATED_IMAGE_VM_FILE_RESTORE_SSH") |= .value="$(VMFR_SSH_IMG)"' config/manager/manager.yaml + $(YQ) -i 'select(.kind == "Deployment")|= .spec.template.spec.containers[0].env |= .[] |= select(.name == "RELATED_IMAGE_VM_FILE_RESTORE_BROWSER") |= .value="$(VMFR_BROWSER_IMG)"' config/manager/manager.yaml + @mkdir -p $(shell pwd)/config/vm-file-restore-controller_rbac + @for file_name in $(shell grep -I '^\-' $(VMFR_CONTROLLER_PATH)/config/rbac/kustomization.yaml | awk -F'- ' '{print $$2}');do \ + cp $(VMFR_CONTROLLER_PATH)/config/rbac/$$file_name $(shell pwd)/config/vm-file-restore-controller_rbac/$$file_name;done + @cp $(VMFR_CONTROLLER_PATH)/config/rbac/kustomization.yaml $(shell pwd)/config/vm-file-restore-controller_rbac/kustomization.yaml + @$(SED) -i '1i namePrefix: oadp-vm-file-restore-' $(shell pwd)/config/vm-file-restore-controller_rbac/kustomization.yaml + @for file_name in $(shell grep -I '^\-' $(VMFR_CONTROLLER_PATH)/config/samples/kustomization.yaml | awk -F'- ' '{print $$2}');do \ + cp $(VMFR_CONTROLLER_PATH)/config/samples/$$file_name $(shell pwd)/config/samples/$$file_name && \ + grep -q "\- $$file_name" $(shell pwd)/config/samples/kustomization.yaml || \ + $(SED) -i "s%resources:%resources:\n- $$file_name%" $(shell pwd)/config/samples/kustomization.yaml;done + @make bundle + .PHONY: build-must-gather build-must-gather: check-go ## Build OADP Must-gather binary must-gather/oadp-must-gather ifeq ($(SKIP_MUST_GATHER),true) diff --git a/bundle/manifests/controller-manager_v1_serviceaccount.yaml b/bundle/manifests/controller-manager_v1_serviceaccount.yaml new file mode 100644 index 0000000000..5e9940ec59 --- /dev/null +++ b/bundle/manifests/controller-manager_v1_serviceaccount.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: controller-manager diff --git a/bundle/manifests/leader-election-role_rbac.authorization.k8s.io_v1_role.yaml b/bundle/manifests/leader-election-role_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 0000000000..f640d72e92 --- /dev/null +++ b/bundle/manifests/leader-election-role_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,40 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/bundle/manifests/leader-election-rolebinding_rbac.authorization.k8s.io_v1_rolebinding.yaml b/bundle/manifests/leader-election-rolebinding_rbac.authorization.k8s.io_v1_rolebinding.yaml new file mode 100644 index 0000000000..a0809a4b6f --- /dev/null +++ b/bundle/manifests/leader-election-rolebinding_rbac.authorization.k8s.io_v1_rolebinding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/bundle/manifests/manager-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/manager-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..de5606f6d4 --- /dev/null +++ b/bundle/manifests/manager-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,142 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-role +rules: +- apiGroups: + - "" + resources: + - namespaces + - pods + - secrets + - serviceaccounts + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries + - virtualmachinefilerestores + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries/finalizers + - virtualmachinefilerestores/finalizers + verbs: + - update +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries/status + - virtualmachinefilerestores/status + verbs: + - get + - patch + - update +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use +- apiGroups: + - velero.io + resources: + - backups + verbs: + - get + - list + - watch +- apiGroups: + - velero.io + resources: + - datadownloads + verbs: + - get + - list + - patch + - watch +- apiGroups: + - velero.io + resources: + - downloadrequests + verbs: + - create + - delete + - get + - list + - watch +- apiGroups: + - velero.io + resources: + - restores + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..e34648b87a --- /dev/null +++ b/bundle/manifests/metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/bundle/manifests/oadp-operator.clusterserviceversion.yaml b/bundle/manifests/oadp-operator.clusterserviceversion.yaml index 1294a84da6..a15234f4f1 100644 --- a/bundle/manifests/oadp-operator.clusterserviceversion.yaml +++ b/bundle/manifests/oadp-operator.clusterserviceversion.yaml @@ -172,6 +172,35 @@ metadata: } } }, + { + "apiVersion": "oadp.openshift.io/v1alpha1", + "kind": "VirtualMachineBackupsDiscovery", + "metadata": { + "labels": { + "app.kubernetes.io/managed-by": "kustomize", + "app.kubernetes.io/name": "oadp-vm-file-restore" + }, + "name": "virtualmachinebackupsdiscovery-sample" + }, + "spec": { + "endTime": "2024-12-31T23:59:59Z", + "startTime": "2024-01-01", + "virtualMachineName": "test-vm", + "virtualMachineNamespace": "test-namespace" + } + }, + { + "apiVersion": "oadp.openshift.io/v1alpha1", + "kind": "VirtualMachineFileRestore", + "metadata": { + "labels": { + "app.kubernetes.io/managed-by": "kustomize", + "app.kubernetes.io/name": "oadp-vm-file-restore" + }, + "name": "virtualmachinefilerestore-sample" + }, + "spec": null + }, { "apiVersion": "velero.io/v1", "kind": "Backup", @@ -845,7 +874,6 @@ spec: - apiGroups: - "" resources: - - events - namespaces - pods - secrets @@ -879,18 +907,6 @@ spec: - patch - update - watch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - apiGroups: - oadp.openshift.io resources: @@ -944,6 +960,14 @@ spec: - patch - update - watch + - apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use - apiGroups: - velero.io resources: @@ -983,6 +1007,18 @@ spec: - patch - update - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create serviceAccountName: oadp-vm-file-restore-controller-manager - rules: - apiGroups: @@ -1348,6 +1384,39 @@ spec: - emptyDir: {} name: tmp-dir permissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: oadp-vm-file-restore-controller-manager - rules: - apiGroups: - "" diff --git a/bundle/manifests/oadp-vm-file-restore-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/oadp-vm-file-restore-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..af9d4f5962 --- /dev/null +++ b/bundle/manifests/oadp-vm-file-restore-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: oadp-vm-file-restore-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/bundle/manifests/oadp-vm-file-restore-virtualmachinebackupsdiscovery-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/oadp-vm-file-restore-virtualmachinebackupsdiscovery-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..c9e9d7a2fd --- /dev/null +++ b/bundle/manifests/oadp-vm-file-restore-virtualmachinebackupsdiscovery-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: oadp-vm-file-restore-virtualmachinebackupsdiscovery-admin-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries + verbs: + - '*' +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries/status + verbs: + - get diff --git a/bundle/manifests/oadp-vm-file-restore-virtualmachinebackupsdiscovery-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/oadp-vm-file-restore-virtualmachinebackupsdiscovery-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..26258f7cdd --- /dev/null +++ b/bundle/manifests/oadp-vm-file-restore-virtualmachinebackupsdiscovery-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: oadp-vm-file-restore-virtualmachinebackupsdiscovery-editor-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries/status + verbs: + - get diff --git a/bundle/manifests/oadp-vm-file-restore-virtualmachinebackupsdiscovery-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/oadp-vm-file-restore-virtualmachinebackupsdiscovery-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..99a7091a7b --- /dev/null +++ b/bundle/manifests/oadp-vm-file-restore-virtualmachinebackupsdiscovery-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: oadp-vm-file-restore-virtualmachinebackupsdiscovery-viewer-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries + verbs: + - get + - list + - watch +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries/status + verbs: + - get diff --git a/bundle/manifests/oadp-vm-file-restore-virtualmachinefilerestore-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/oadp-vm-file-restore-virtualmachinefilerestore-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..6e24a9369f --- /dev/null +++ b/bundle/manifests/oadp-vm-file-restore-virtualmachinefilerestore-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: oadp-vm-file-restore-virtualmachinefilerestore-admin-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores + verbs: + - '*' +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores/status + verbs: + - get diff --git a/bundle/manifests/oadp-vm-file-restore-virtualmachinefilerestore-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/oadp-vm-file-restore-virtualmachinefilerestore-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..350dad4c0c --- /dev/null +++ b/bundle/manifests/oadp-vm-file-restore-virtualmachinefilerestore-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: oadp-vm-file-restore-virtualmachinefilerestore-editor-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores/status + verbs: + - get diff --git a/bundle/manifests/oadp-vm-file-restore-virtualmachinefilerestore-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/oadp-vm-file-restore-virtualmachinefilerestore-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..e4ab55038e --- /dev/null +++ b/bundle/manifests/oadp-vm-file-restore-virtualmachinefilerestore-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: oadp-vm-file-restore-virtualmachinefilerestore-viewer-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores + verbs: + - get + - list + - watch +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores/status + verbs: + - get diff --git a/bundle/manifests/virtualmachinebackupsdiscovery-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/virtualmachinebackupsdiscovery-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..a99ce03b35 --- /dev/null +++ b/bundle/manifests/virtualmachinebackupsdiscovery-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: virtualmachinebackupsdiscovery-admin-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries + verbs: + - '*' +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries/status + verbs: + - get diff --git a/bundle/manifests/virtualmachinebackupsdiscovery-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/virtualmachinebackupsdiscovery-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..f0c3e5fc15 --- /dev/null +++ b/bundle/manifests/virtualmachinebackupsdiscovery-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: virtualmachinebackupsdiscovery-editor-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries/status + verbs: + - get diff --git a/bundle/manifests/virtualmachinebackupsdiscovery-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/virtualmachinebackupsdiscovery-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..ee92b42690 --- /dev/null +++ b/bundle/manifests/virtualmachinebackupsdiscovery-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: virtualmachinebackupsdiscovery-viewer-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries + verbs: + - get + - list + - watch +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries/status + verbs: + - get diff --git a/bundle/manifests/virtualmachinefilerestore-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/virtualmachinefilerestore-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..71d4594f81 --- /dev/null +++ b/bundle/manifests/virtualmachinefilerestore-admin-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: virtualmachinefilerestore-admin-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores + verbs: + - '*' +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores/status + verbs: + - get diff --git a/bundle/manifests/virtualmachinefilerestore-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/virtualmachinefilerestore-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..b54ff63c8d --- /dev/null +++ b/bundle/manifests/virtualmachinefilerestore-editor-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: virtualmachinefilerestore-editor-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores/status + verbs: + - get diff --git a/bundle/manifests/virtualmachinefilerestore-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/virtualmachinefilerestore-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..b78f1254d3 --- /dev/null +++ b/bundle/manifests/virtualmachinefilerestore-viewer-role_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: oadp-vm-file-restore + name: virtualmachinefilerestore-viewer-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores + verbs: + - get + - list + - watch +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores/status + verbs: + - get diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml index e69931523b..52e6efc37c 100644 --- a/config/samples/kustomization.yaml +++ b/config/samples/kustomization.yaml @@ -1,5 +1,7 @@ ## Append samples of your project ## resources: +- oadp_v1alpha1_virtualmachinebackupsdiscovery.yaml +- oadp_v1alpha1_virtualmachinefilerestore.yaml - oadp_v1alpha1_nonadminbackupstoragelocationrequest.yaml - oadp_v1alpha1_nonadminbackupstoragelocation.yaml - oadp_v1alpha1_dataprotectionapplication.yaml diff --git a/config/samples/oadp_v1alpha1_virtualmachinebackupsdiscovery.yaml b/config/samples/oadp_v1alpha1_virtualmachinebackupsdiscovery.yaml new file mode 100644 index 0000000000..339d22699e --- /dev/null +++ b/config/samples/oadp_v1alpha1_virtualmachinebackupsdiscovery.yaml @@ -0,0 +1,15 @@ +apiVersion: oadp.openshift.io/v1alpha1 +kind: VirtualMachineBackupsDiscovery +metadata: + labels: + app.kubernetes.io/name: oadp-vm-file-restore + app.kubernetes.io/managed-by: kustomize + name: virtualmachinebackupsdiscovery-sample +spec: + virtualMachineName: "test-vm" + virtualMachineNamespace: "test-namespace" + # Time range filtering (optional) + # Both formats supported: + startTime: "2024-01-01" # Date-only format (defaults to 00:00:00Z) + endTime: "2024-12-31T23:59:59Z" # Full RFC3339 format + # startTime: "2024-01-01T00:00:00Z" # Full RFC3339 format also works diff --git a/config/samples/oadp_v1alpha1_virtualmachinefilerestore.yaml b/config/samples/oadp_v1alpha1_virtualmachinefilerestore.yaml new file mode 100644 index 0000000000..59d1393455 --- /dev/null +++ b/config/samples/oadp_v1alpha1_virtualmachinefilerestore.yaml @@ -0,0 +1,9 @@ +apiVersion: oadp.openshift.io/v1alpha1 +kind: VirtualMachineFileRestore +metadata: + labels: + app.kubernetes.io/name: oadp-vm-file-restore + app.kubernetes.io/managed-by: kustomize + name: virtualmachinefilerestore-sample +spec: + # TODO(user): Add fields here diff --git a/config/vm-file-restore-controller_rbac/kustomization.yaml b/config/vm-file-restore-controller_rbac/kustomization.yaml index 55d4d0cc20..1aef8d6064 100644 --- a/config/vm-file-restore-controller_rbac/kustomization.yaml +++ b/config/vm-file-restore-controller_rbac/kustomization.yaml @@ -1,3 +1,4 @@ +namePrefix: oadp-vm-file-restore- resources: # All RBAC will be applied under this service account in # the deployment namespace. You may comment out this resource @@ -7,3 +8,25 @@ resources: - service_account.yaml - role.yaml - role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +- metrics_auth_role.yaml +- metrics_auth_role_binding.yaml +- metrics_reader_role.yaml +# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. Those roles are +# not used by the oadp-vm-file-restore itself. You can comment the following lines +# if you do not want those helpers be installed with your Project. +- virtualmachinebackupsdiscovery_admin_role.yaml +- virtualmachinebackupsdiscovery_editor_role.yaml +- virtualmachinebackupsdiscovery_viewer_role.yaml +- virtualmachinefilerestore_admin_role.yaml +- virtualmachinefilerestore_editor_role.yaml +- virtualmachinefilerestore_viewer_role.yaml + diff --git a/config/vm-file-restore-controller_rbac/leader_election_role.yaml b/config/vm-file-restore-controller_rbac/leader_election_role.yaml new file mode 100644 index 0000000000..6d09362119 --- /dev/null +++ b/config/vm-file-restore-controller_rbac/leader_election_role.yaml @@ -0,0 +1,40 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: oadp-vm-file-restore + app.kubernetes.io/managed-by: kustomize + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/config/vm-file-restore-controller_rbac/leader_election_role_binding.yaml b/config/vm-file-restore-controller_rbac/leader_election_role_binding.yaml new file mode 100644 index 0000000000..174adc58a0 --- /dev/null +++ b/config/vm-file-restore-controller_rbac/leader_election_role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: oadp-vm-file-restore + app.kubernetes.io/managed-by: kustomize + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/vm-file-restore-controller_rbac/metrics_auth_role.yaml b/config/vm-file-restore-controller_rbac/metrics_auth_role.yaml new file mode 100644 index 0000000000..32d2e4ec6b --- /dev/null +++ b/config/vm-file-restore-controller_rbac/metrics_auth_role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-auth-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/config/vm-file-restore-controller_rbac/metrics_auth_role_binding.yaml b/config/vm-file-restore-controller_rbac/metrics_auth_role_binding.yaml new file mode 100644 index 0000000000..e775d67ff0 --- /dev/null +++ b/config/vm-file-restore-controller_rbac/metrics_auth_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metrics-auth-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metrics-auth-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/vm-file-restore-controller_rbac/metrics_reader_role.yaml b/config/vm-file-restore-controller_rbac/metrics_reader_role.yaml new file mode 100644 index 0000000000..51a75db47a --- /dev/null +++ b/config/vm-file-restore-controller_rbac/metrics_reader_role.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-reader +rules: +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/config/vm-file-restore-controller_rbac/role.yaml b/config/vm-file-restore-controller_rbac/role.yaml index 87b6a929b9..455e28a9d1 100644 --- a/config/vm-file-restore-controller_rbac/role.yaml +++ b/config/vm-file-restore-controller_rbac/role.yaml @@ -2,12 +2,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: oadp-vm-file-restore-controller-manager-role + name: manager-role rules: - apiGroups: - "" resources: - - events - namespaces - pods - secrets @@ -41,18 +40,6 @@ rules: - patch - update - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - apiGroups: - oadp.openshift.io resources: @@ -106,6 +93,14 @@ rules: - patch - update - watch +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use - apiGroups: - velero.io resources: diff --git a/config/vm-file-restore-controller_rbac/role_binding.yaml b/config/vm-file-restore-controller_rbac/role_binding.yaml index 7244a050fe..de4bc0707b 100644 --- a/config/vm-file-restore-controller_rbac/role_binding.yaml +++ b/config/vm-file-restore-controller_rbac/role_binding.yaml @@ -2,18 +2,14 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: oadp-vm-file-restore-controller-manager-rolebinding - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: oadp-operator - app.kubernetes.io/part-of: oadp-operator + app.kubernetes.io/name: oadp-vm-file-restore app.kubernetes.io/managed-by: kustomize - name: oadp-vm-file-restore-controller-manager-rolebinding + name: manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: oadp-vm-file-restore-controller-manager-role + name: manager-role subjects: - kind: ServiceAccount - name: oadp-vm-file-restore-controller-manager + name: controller-manager namespace: system diff --git a/config/vm-file-restore-controller_rbac/service_account.yaml b/config/vm-file-restore-controller_rbac/service_account.yaml index 7810ec02c4..6a8788433a 100644 --- a/config/vm-file-restore-controller_rbac/service_account.yaml +++ b/config/vm-file-restore-controller_rbac/service_account.yaml @@ -2,11 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - app.kubernetes.io/name: serviceaccount - app.kubernetes.io/instance: oadp-vm-file-restore-controller-manager-sa - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: oadp-operator - app.kubernetes.io/part-of: oadp-operator + app.kubernetes.io/name: oadp-vm-file-restore app.kubernetes.io/managed-by: kustomize - name: oadp-vm-file-restore-controller-manager + name: controller-manager namespace: system diff --git a/config/vm-file-restore-controller_rbac/virtualmachinebackupsdiscovery_admin_role.yaml b/config/vm-file-restore-controller_rbac/virtualmachinebackupsdiscovery_admin_role.yaml new file mode 100644 index 0000000000..723bb800b8 --- /dev/null +++ b/config/vm-file-restore-controller_rbac/virtualmachinebackupsdiscovery_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project oadp-vm-file-restore itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over oadp.openshift.io. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: oadp-vm-file-restore + app.kubernetes.io/managed-by: kustomize + name: virtualmachinebackupsdiscovery-admin-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries + verbs: + - '*' +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries/status + verbs: + - get diff --git a/config/vm-file-restore-controller_rbac/virtualmachinebackupsdiscovery_editor_role.yaml b/config/vm-file-restore-controller_rbac/virtualmachinebackupsdiscovery_editor_role.yaml new file mode 100644 index 0000000000..9010bacb20 --- /dev/null +++ b/config/vm-file-restore-controller_rbac/virtualmachinebackupsdiscovery_editor_role.yaml @@ -0,0 +1,33 @@ +# This rule is not used by the project oadp-vm-file-restore itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the oadp.openshift.io. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: oadp-vm-file-restore + app.kubernetes.io/managed-by: kustomize + name: virtualmachinebackupsdiscovery-editor-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries/status + verbs: + - get diff --git a/config/vm-file-restore-controller_rbac/virtualmachinebackupsdiscovery_viewer_role.yaml b/config/vm-file-restore-controller_rbac/virtualmachinebackupsdiscovery_viewer_role.yaml new file mode 100644 index 0000000000..40acc0f0b4 --- /dev/null +++ b/config/vm-file-restore-controller_rbac/virtualmachinebackupsdiscovery_viewer_role.yaml @@ -0,0 +1,29 @@ +# This rule is not used by the project oadp-vm-file-restore itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to oadp.openshift.io resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: oadp-vm-file-restore + app.kubernetes.io/managed-by: kustomize + name: virtualmachinebackupsdiscovery-viewer-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries + verbs: + - get + - list + - watch +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinebackupsdiscoveries/status + verbs: + - get diff --git a/config/vm-file-restore-controller_rbac/virtualmachinefilerestore_admin_role.yaml b/config/vm-file-restore-controller_rbac/virtualmachinefilerestore_admin_role.yaml new file mode 100644 index 0000000000..cf0f8b3f20 --- /dev/null +++ b/config/vm-file-restore-controller_rbac/virtualmachinefilerestore_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project oadp-vm-file-restore itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over oadp.openshift.io. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: oadp-vm-file-restore + app.kubernetes.io/managed-by: kustomize + name: virtualmachinefilerestore-admin-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores + verbs: + - '*' +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores/status + verbs: + - get diff --git a/config/vm-file-restore-controller_rbac/virtualmachinefilerestore_editor_role.yaml b/config/vm-file-restore-controller_rbac/virtualmachinefilerestore_editor_role.yaml new file mode 100644 index 0000000000..876ce1e18d --- /dev/null +++ b/config/vm-file-restore-controller_rbac/virtualmachinefilerestore_editor_role.yaml @@ -0,0 +1,33 @@ +# This rule is not used by the project oadp-vm-file-restore itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the oadp.openshift.io. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: oadp-vm-file-restore + app.kubernetes.io/managed-by: kustomize + name: virtualmachinefilerestore-editor-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores/status + verbs: + - get diff --git a/config/vm-file-restore-controller_rbac/virtualmachinefilerestore_viewer_role.yaml b/config/vm-file-restore-controller_rbac/virtualmachinefilerestore_viewer_role.yaml new file mode 100644 index 0000000000..9de7d5be5e --- /dev/null +++ b/config/vm-file-restore-controller_rbac/virtualmachinefilerestore_viewer_role.yaml @@ -0,0 +1,29 @@ +# This rule is not used by the project oadp-vm-file-restore itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to oadp.openshift.io resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: oadp-vm-file-restore + app.kubernetes.io/managed-by: kustomize + name: virtualmachinefilerestore-viewer-role +rules: +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores + verbs: + - get + - list + - watch +- apiGroups: + - oadp.openshift.io + resources: + - virtualmachinefilerestores/status + verbs: + - get