Move rbac up to CVO. Drop admin perms

cmd/machine-api-operator/start.go

@@ -80,10 +80,7 @@ func startControllers(ctx *ControllerContext) error {
 		startOpts.imagesFile,
 
 		config,
-		ctx.KubeNamespacedInformerFactory.Core().V1().ServiceAccounts(),
 		ctx.KubeNamespacedInformerFactory.Apps().V1().Deployments(),
-		ctx.KubeNamespacedInformerFactory.Rbac().V1().ClusterRoles(),
-		ctx.KubeNamespacedInformerFactory.Rbac().V1().ClusterRoleBindings(),
 
 		ctx.ClientBuilder.KubeClientOrDie(componentName),
 		ctx.ClientBuilder.OpenshiftClientOrDie(componentName),

install/0000_30_machine-api-operator_08_rbac.yaml

@@ -1,13 +1,130 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: machine-api-manager
+rules:
+  - apiGroups:
+      - cluster.k8s.io
+    resources:
+      - '*'
+    verbs:
+      - '*'
+
+  - apiGroups:
+      - machine.openshift.io
+    resources:
+      - '*'
+    verbs:
+      - '*'
+
+  - apiGroups:
+      - healthchecking.openshift.io
+    resources:
+      - '*'
+    verbs:
+      - '*'
+
+  - apiGroups:
+      - config.openshift.io
+    resources:
+      - clusteroperators
+      - clusteroperators/status
+    verbs:
+      - create
+      - get
+      - update
+
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+
+  - apiGroups:
+      - ""
+    resources:
+      - pods/eviction
+    verbs:
+      - create
+
+  - apiGroups:
+      - extensions
+    resources:
+      - daemonsets
+    verbs:
+      - get
+      - list
+      - watch
+
 ---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
-  name: default-account-openshift-machine-api
-subjects:
-- kind: ServiceAccount
-  name: default
-  namespace: openshift-machine-api
+  name: machine-api-manager-rolebinding
 roleRef:
-  kind: ClusterRole
-  name: cluster-admin
   apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: machine-api-manager
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: openshift-machine-api

pkg/operator/operator.go

@@ -11,8 +11,6 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	appsinformersv1 "k8s.io/client-go/informers/apps/v1"
-	coreinformersv1 "k8s.io/client-go/informers/core/v1"
-	rbacinformersv1 "k8s.io/client-go/informers/rbac/v1"
 	"k8s.io/client-go/kubernetes"
 	coreclientsetv1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	appslisterv1 "k8s.io/client-go/listers/apps/v1"
@@ -60,10 +58,7 @@ func New(
 
 	config string,
 
-	serviceAccountInfomer coreinformersv1.ServiceAccountInformer,
 	deployInformer appsinformersv1.DeploymentInformer,
-	clusterRoleInformer rbacinformersv1.ClusterRoleInformer,
-	clusterRoleBindingInformer rbacinformersv1.ClusterRoleBindingInformer,
 
 	kubeClient kubernetes.Interface,
 	osClient osclientset.Interface,
@@ -82,10 +77,7 @@ func New(
 		queue:         workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "machineapioperator"),
 	}
 
-	serviceAccountInfomer.Informer().AddEventHandler(optr.eventHandler())
 	deployInformer.Informer().AddEventHandler(optr.eventHandler())
-	clusterRoleInformer.Informer().AddEventHandler(optr.eventHandler())
-	clusterRoleBindingInformer.Informer().AddEventHandler(optr.eventHandler())
 
 	optr.config = config
 	optr.syncHandler = optr.sync

pkg/operator/sync.go

@@ -51,24 +51,6 @@ func (optr *Operator) syncAll(config OperatorConfig) error {
 }
 
 func (optr *Operator) syncClusterAPIController(config OperatorConfig) error {
-	crBytes, err := PopulateTemplate(&config, filepath.Join(ownedManifestsDir, "clusterapi-manager-cluster-role.yaml"))
-	if err != nil {
-		return err
-	}
-	cr := resourceread.ReadClusterRoleV1OrDie(crBytes)
-	_, _, err = resourceapply.ApplyClusterRole(optr.kubeClient.RbacV1(), cr)
-	if err != nil {
-		return err
-	}
-	crbBytes, err := PopulateTemplate(&config, filepath.Join(ownedManifestsDir, "clusterapi-manager-cluster-role-binding.yaml"))
-	if err != nil {
-		return err
-	}
-	crb := resourceread.ReadClusterRoleBindingV1OrDie(crbBytes)
-	_, _, err = resourceapply.ApplyClusterRoleBinding(optr.kubeClient.RbacV1(), crb)
-	if err != nil {
-		return err
-	}
 	controllerBytes, err := PopulateTemplate(&config, filepath.Join(ownedManifestsDir, "clusterapi-manager-controllers.yaml"))
 	if err != nil {
 		return err

test/e2e/main.go

@@ -115,5 +115,13 @@ func runSuite() error {
 		return err
 	}
 	glog.Info("PASS: ExpectAutoscalerScalesOut")
+
+	glog.Info("RUN: ExpectNodeToBeDrainedBeforeMachineIsDeleted")
+	if err := testConfig.ExpectNodeToBeDrainedBeforeMachineIsDeleted(); err != nil {
+		glog.Errorf("FAIL: ExpectNodeToBeDrainedBeforeMachineIsDeleted: %v", err)
+		return err
+	}
+	glog.Info("PASS: ExpectNodeToBeDrainedBeforeMachineIsDeleted")
+
 	return nil
 }