Remove unnecessary CRDs and RBAC rules

[luolanzone]

Fixes #3489

This PR is based on #3435, only the last commit is relevant to this PR.

Some CRDs and access control rules are required by member or leader
only, so remove unused CRDs and RBAC rules in separate leader and member
manifests.

Please note: since Kustomize didn't support deleteFromPrimitiveList,
it's unable to remove elements in all-in-one RBAC rules through overlay
setting, so I added separate rbac files for both leader and member. It means
if you use kubebuilder comment marker without adding them into right overlay role files, you will only
get the change in all-in-one file which it's the file in multicluster/config/rbac/role.yaml.

Signed-off-by: Lan Luo [email protected]

[luolanzone]

/test-multicluster-e2e

[codecov-commenter]

Codecov Report

Merging #3491 (c2eebee) into main (7599ffb) will decrease coverage by 11.07%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##             main    #3491       +/-   ##
===========================================
- Coverage   65.49%   54.41%   -11.08%     
===========================================
  Files         278      392      +114     
  Lines       27750    42958    +15208     
===========================================
+ Hits        18174    23377     +5203     
- Misses       7657    17257     +9600     
- Partials     1919     2324      +405     

Flag	Coverage Δ
integration-tests	38.30% <ø> (?)
kind-e2e-tests	51.27% <ø> (-3.89%)	⬇️
unit-tests	43.34% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...g/agent/apiserver/handlers/featuregates/handler.go	0.00% <0.00%> (-82.36%)	⬇️
pkg/apis/controlplane/helper.go	33.33% <0.00%> (-66.67%)	⬇️
pkg/controller/egress/store/egressgroup.go	1.38% <0.00%> (-58.34%)	⬇️
...kg/apiserver/registry/system/supportbundle/rest.go	20.45% <0.00%> (-54.55%)	⬇️
pkg/support/dump.go	8.19% <0.00%> (-49.19%)	⬇️
...egator/apiserver/handlers/recordmetrics/handler.go	0.00% <0.00%> (-44.45%)	⬇️
pkg/support/dump_others.go	0.00% <0.00%> (-44.00%)	⬇️
pkg/controller/networkpolicy/tier.go	12.50% <0.00%> (-40.00%)	⬇️
...g/agent/apiserver/handlers/addressgroup/handler.go	0.00% <0.00%> (-40.00%)	⬇️
...agent/apiserver/handlers/appliedtogroup/handler.go	0.00% <0.00%> (-40.00%)	⬇️
... and 154 more

[jianjuns]

What does "manager" refer to here?

[luolanzone]

I mean an option in a kubebuilder manager initialization which is used by leader and member controllers. let me change it to controller for easy understanding.

[Dyanngg]

@tnqn @luolanzone can we merge #3488 first? Otherwise /test-multicluster-e2e is not reliable

[Dyanngg]

Could you explain the following in more details?

It means if you use kubebuilder comment marker without adding them into right overlay role files, you will only
get the change in all-in-one file which it's the file in multicluster/config/rbac/role.yaml.

Does that indicate that in the future, rbac rules for member/leader needs to be manually added (in /config/overlays/member/roles.yml for example)? If so, is multicluster/config/rbac/role.yaml still used anywhere?

[luolanzone]

Could you explain the following in more details?

It means if you use kubebuilder comment marker without adding them into right overlay role files, you will only
get the change in all-in-one file which it's the file in multicluster/config/rbac/role.yaml.

Does that indicate that in the future, rbac rules for member/leader needs to be manually added (in /config/overlays/member/roles.yml for example)? If so, is multicluster/config/rbac/role.yaml still used anywhere?

correct, we need manually add all required roles separately in the future, role.yaml is automatically generated when we run make manifests because controller-gen will translate any kubebuilder comment marker into correct role setting automatically. but it will not be used by leader and member manifests directly any more after this change. but you can refer to the auto-generated roles if you still like to use kubebuilder marker. and we may reuse the all-in-one role file again once deleteFromPrimitiveList directive is supported in Kustomize.

[jianjuns]

I think we should make it clearer. Do you mean Multi-cluster Controller or antrea-mc-controller?

[luolanzone]

sure, let me change it to Multi-cluster Controller.

[jianjuns]

We could not use a name like "controller-role" which can easily conflicts with other controllers in the cluster. Add "antrea-mc-" prefix for all such K8s standard resources.

[luolanzone]

yes, this is a base file, we add a prefix antrea-mc- in kustomization.yml which will add this prefix in final manifest.

[jianjuns]

Ah, I recall this now!

[luolanzone]

/test-multicluster-e2e

[luolanzone]

/test-multicluster-e2e

[luolanzone]

@Dyanngg multicluster e2e passed after I rebased my changes on top of your ACNP e2e. but I checked the ACNP e2e test, it only verify the replicated ACNP's realization, no failed case for event creation, I manually tried it, it works as expected. so I think this PR can work fine with latest ACNP changes.

[luolanzone]

@jianjuns @tnqn do you have any new comment for this PR? thanks!

[tnqn]

@luolanzone could you rebase?

[luolanzone]

/test-multicluster-e2e

[luolanzone]

@tnqn rebase is done, MC e2e is triggered. thanks.

[tnqn]

/skip-all