diff --git a/charts/actions-runner-controller-2/templates/manager_role.yaml b/charts/actions-runner-controller-2/templates/manager_role.yaml index 6b68e603..34639b9a 100644 --- a/charts/actions-runner-controller-2/templates/manager_role.yaml +++ b/charts/actions-runner-controller-2/templates/manager_role.yaml @@ -110,14 +110,6 @@ rules: - apiGroups: - "" resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - namespaces - pods verbs: - create @@ -130,57 +122,9 @@ rules: - apiGroups: - "" resources: - - persistentvolumeclaims - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - namespaces/status - pods/status verbs: - get -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - "" resources: @@ -223,28 +167,4 @@ rules: - get - update - list - - watch -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - - get -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - list - - watch -- apiGroups: - - "batch" - resources: - - jobs - verbs: - - get - - list - - create - - delete + - watch \ No newline at end of file diff --git a/charts/actions-runner-controller-2/tests/template_test.go b/charts/actions-runner-controller-2/tests/template_test.go index 6459fb03..1aa2f939 100644 --- a/charts/actions-runner-controller-2/tests/template_test.go +++ b/charts/actions-runner-controller-2/tests/template_test.go @@ -162,7 +162,7 @@ func TestTemplate_CreateManagerRole(t *testing.T) { assert.Empty(t, managerRole.Namespace, "ClusterRole should not have a namespace") assert.Equal(t, "test-arc-actions-runner-controller-2-manager-role", managerRole.Name) - assert.Equal(t, 25, len(managerRole.Rules)) + assert.Equal(t, 17, len(managerRole.Rules)) } func TestTemplate_ManagerRoleBinding(t *testing.T) { diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 29ab8881..b80a869d 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -306,26 +306,6 @@ rules: verbs: - create - patch -- apiGroups: - - "" - resources: - - namespaces - - pods - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - namespaces/status - - pods/status - verbs: - - get - apiGroups: - "" resources: diff --git a/controllers/actions.github.com/autoscalingrunnerset_controller.go b/controllers/actions.github.com/autoscalingrunnerset_controller.go index db0a4f9d..9b14b515 100644 --- a/controllers/actions.github.com/autoscalingrunnerset_controller.go +++ b/controllers/actions.github.com/autoscalingrunnerset_controller.go @@ -68,8 +68,6 @@ type AutoscalingRunnerSetReconciler struct { resourceBuilder resourceBuilder } -// +kubebuilder:rbac:groups=core,resources=namespaces;pods,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=core,resources=namespaces/status;pods/status,verbs=get // +kubebuilder:rbac:groups=actions.github.com,resources=autoscalingrunnersets,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=actions.github.com,resources=autoscalingrunnersets/status,verbs=get;update;patch // +kubebuilder:rbac:groups=actions.github.com,resources=autoscalingrunnersets/finalizers,verbs=update diff --git a/controllers/actions.github.com/ephemeralrunner_controller.go b/controllers/actions.github.com/ephemeralrunner_controller.go index 7ee546cb..dd12a50f 100644 --- a/controllers/actions.github.com/ephemeralrunner_controller.go +++ b/controllers/actions.github.com/ephemeralrunner_controller.go @@ -59,12 +59,8 @@ type EphemeralRunnerReconciler struct { // +kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners/status,verbs=get;update;patch // +kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners/finalizers,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;delete -// +kubebuilder:rbac:groups=core,resources=pods/finalizers,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch -// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=create;delete;get -// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=create;delete;get -// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=create;delete;get +// +kubebuilder:rbac:groups=core,resources=pods/status,verbs=get +// +kubebuilder:rbac:groups=core,resources=secrets,verbs=create;get;list;watch;delete // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/controllers/actions.github.com/ephemeralrunnerset_controller.go b/controllers/actions.github.com/ephemeralrunnerset_controller.go index 6744e1ba..08ecc2da 100644 --- a/controllers/actions.github.com/ephemeralrunnerset_controller.go +++ b/controllers/actions.github.com/ephemeralrunnerset_controller.go @@ -56,6 +56,8 @@ type EphemeralRunnerSetReconciler struct { //+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunnersets,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunnersets/status,verbs=get;update;patch +//+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners,verbs=get;list;watch;create;update;patch;delete +//+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners/status,verbs=get // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state.