Merge pull request #212 from appuio/fix/default-org-controller-rbac

simu · web-flow · commit fd065b51ed8e · 2024-09-26T13:31:14.000+02:00
Fix default organization controller RBAC
diff --git a/config/rbac/controller/role.yaml b/config/rbac/controller/role.yaml
@@ -179,6 +179,14 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - rbac.appuio.io
+  resources:
+  - users
+  verbs:
+  - create
+  - patch
+  - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
diff --git a/controllers/default_organization_controller.go b/controllers/default_organization_controller.go
@@ -24,7 +24,8 @@ type DefaultOrganizationReconciler struct {
 }
 
 //+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers,verbs=get;list;watch
-//+kubebuilder:rbac:groups=appuio.io,resources=users,verbs=get;list;watch;update;patch
+//+kubebuilder:rbac:groups=appuio.io,resources=users,verbs=get;list;watch
+//+kubebuilder:rbac:groups=rbac.appuio.io,resources=users,verbs=create;update;patch
 //+kubebuilder:rbac:groups=appuio.io,resources=users/status,verbs=get
 
 // Reconcile reacts on changes of memberships and sets members' default organization if appropriate

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,8 @@ type DefaultOrganizationReconciler struct {`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`//+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers,verbs=get;list;watch`
`27`		`-//+kubebuilder:rbac:groups=appuio.io,resources=users,verbs=get;list;watch;update;patch`
	`27`	`+//+kubebuilder:rbac:groups=appuio.io,resources=users,verbs=get;list;watch`
	`28`	`+//+kubebuilder:rbac:groups=rbac.appuio.io,resources=users,verbs=create;update;patch`
`28`	`29`	`//+kubebuilder:rbac:groups=appuio.io,resources=users/status,verbs=get`
`29`	`30`
`30`	`31`	`// Reconcile reacts on changes of memberships and sets members' default organization if appropriate`