From e481bdd8c6918b6a70cb3ee693af96a4618c85fd Mon Sep 17 00:00:00 2001 From: Joel Takvorian Date: Wed, 2 Oct 2024 15:24:48 +0200 Subject: [PATCH 1/2] NETOBSERV-1893: fix netobserv-mertics-reader role creation Prevent undesired mutation of the role by copying it before use. --- controllers/flp/flp_controller.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/controllers/flp/flp_controller.go b/controllers/flp/flp_controller.go index ce1be9c8a..8775feb73 100644 --- a/controllers/flp/flp_controller.go +++ b/controllers/flp/flp_controller.go @@ -269,8 +269,9 @@ func reconcileDataAccessRoles(ctx context.Context, r *reconcilers.Common, b *bui } } } - // Install netobserv-metrics-reader role - return r.ReconcileClusterRole(ctx, &resources.PromReaderCR) + // Install netobserv-metrics-reader role; copy to avoid any undesired mutation + cr := resources.PromReaderCR + return r.ReconcileClusterRole(ctx, &cr) } func (r *Reconciler) getOpenShiftSubnets(ctx context.Context) ([]flowslatest.SubnetLabel, error) { From dcc8e66f710716f2b141cb43ad127fcf5adb4001 Mon Sep 17 00:00:00 2001 From: Joel Takvorian Date: Wed, 2 Oct 2024 17:56:30 +0200 Subject: [PATCH 2/2] Change ClusterRoles to be provided as functions This is to avoid keeping reference to old / potentially mutated objects. --- controllers/flp/flp_controller.go | 4 +- pkg/loki/roles.go | 2 +- pkg/resources/static_resources.go | 64 +++++++++++++++++-------------- 3 files changed, 38 insertions(+), 32 deletions(-) diff --git a/controllers/flp/flp_controller.go b/controllers/flp/flp_controller.go index 8775feb73..a921e38bb 100644 --- a/controllers/flp/flp_controller.go +++ b/controllers/flp/flp_controller.go @@ -269,8 +269,8 @@ func reconcileDataAccessRoles(ctx context.Context, r *reconcilers.Common, b *bui } } } - // Install netobserv-metrics-reader role; copy to avoid any undesired mutation - cr := resources.PromReaderCR + // Install netobserv-metrics-reader role + cr := resources.PromReaderCR() return r.ReconcileClusterRole(ctx, &cr) } diff --git a/pkg/loki/roles.go b/pkg/loki/roles.go index 2cc11a184..7584f784d 100644 --- a/pkg/loki/roles.go +++ b/pkg/loki/roles.go @@ -10,7 +10,7 @@ import ( func ClusterRoles(appName, saName, namespace string) ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) { crb := writerBinding(appName, saName, namespace) - return []rbacv1.ClusterRole{resources.LokiWriterCR, resources.LokiReaderCR}, []rbacv1.ClusterRoleBinding{*crb} + return []rbacv1.ClusterRole{resources.LokiWriterCR(), resources.LokiReaderCR()}, []rbacv1.ClusterRoleBinding{*crb} } func writerBinding(appName, saName, namespace string) *rbacv1.ClusterRoleBinding { diff --git a/pkg/resources/static_resources.go b/pkg/resources/static_resources.go index 85988063c..ab94e0140 100644 --- a/pkg/resources/static_resources.go +++ b/pkg/resources/static_resources.go @@ -7,37 +7,43 @@ import ( "github.com/netobserv/network-observability-operator/controllers/constants" ) -var LokiWriterCR = rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: constants.LokiCRWriter, - }, - Rules: []rbacv1.PolicyRule{{ - APIGroups: []string{"loki.grafana.com"}, - Resources: []string{"network"}, - ResourceNames: []string{"logs"}, - Verbs: []string{"create"}, - }}, +func LokiWriterCR() rbacv1.ClusterRole { + return rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: constants.LokiCRWriter, + }, + Rules: []rbacv1.PolicyRule{{ + APIGroups: []string{"loki.grafana.com"}, + Resources: []string{"network"}, + ResourceNames: []string{"logs"}, + Verbs: []string{"create"}, + }}, + } } -var LokiReaderCR = rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: constants.LokiCRReader, - }, - Rules: []rbacv1.PolicyRule{{ - APIGroups: []string{"loki.grafana.com"}, - Resources: []string{"network"}, - ResourceNames: []string{"logs"}, - Verbs: []string{"get"}, - }}, +func LokiReaderCR() rbacv1.ClusterRole { + return rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: constants.LokiCRReader, + }, + Rules: []rbacv1.PolicyRule{{ + APIGroups: []string{"loki.grafana.com"}, + Resources: []string{"network"}, + ResourceNames: []string{"logs"}, + Verbs: []string{"get"}, + }}, + } } -var PromReaderCR = rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{ - Name: constants.PromCRReader, - }, - Rules: []rbacv1.PolicyRule{{ - APIGroups: []string{"metrics.k8s.io"}, - Resources: []string{"pods"}, - Verbs: []string{"create"}, - }}, +func PromReaderCR() rbacv1.ClusterRole { + return rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: constants.PromCRReader, + }, + Rules: []rbacv1.PolicyRule{{ + APIGroups: []string{"metrics.k8s.io"}, + Resources: []string{"pods"}, + Verbs: []string{"create"}, + }}, + } }