This is an automated email from the ASF dual-hosted git repository.
pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
The following commit(s) were added to refs/heads/main by this push:
new f53e6a709 fix(install): remove unneded rbacs
f53e6a709 is described below
commit f53e6a709564ff50654871b9a923e7b3142ee8d5
Author: Pasquale Congiusti <pasquale.congiu...@gmail.com>
AuthorDate: Thu Jun 19 18:28:38 2025 +0200
fix(install): remove unneded rbacs
Closes #6145
---
e2e/support/test_support.go | 5 -
helm/camel-k/templates/rbacs-common.yaml | 107 ---------------------
pkg/install/cluster.go | 44 ---------
pkg/install/operator.go | 4 -
.../bases/camel-k.clusterserviceversion.yaml | 2 +-
pkg/resources/config/manifests/kustomization.yaml | 2 -
.../manifests/patch-delete-user-cluster-role.yaml | 22 -----
pkg/resources/config/rbac/kustomization.yaml | 5 -
...operator-cluster-role-addressable-resolver.yaml | 32 ------
...-cluster-role-binding-addressable-resolver.yaml | 30 ------
...r-role-binding-custom-resource-definitions.yaml | 30 ------
...r-cluster-role-custom-resource-definitions.yaml | 30 ------
pkg/resources/config/rbac/user-cluster-role.yaml | 64 ------------
13 files changed, 1 insertion(+), 376 deletions(-)
diff --git a/e2e/support/test_support.go b/e2e/support/test_support.go
index 08cae0de3..594af320b 100644
--- a/e2e/support/test_support.go
+++ b/e2e/support/test_support.go
@@ -111,11 +111,6 @@ const ExpectedCRDs = 7
// camel-k-operator-knative
const ExpectedKubePromoteRoles = 7
-// camel-k-edit
-// camel-k-operator-custom-resource-definitions
-// camel-k-operator-bind-addressable-resolver
-const ExpectedKubeClusterRoles = 3
-
// camel-k-operator-openshift
const ExpectedOSPromoteRoles = 1
diff --git a/helm/camel-k/templates/rbacs-common.yaml
b/helm/camel-k/templates/rbacs-common.yaml
index 82363ca49..fd7718633 100644
--- a/helm/camel-k/templates/rbacs-common.yaml
+++ b/helm/camel-k/templates/rbacs-common.yaml
@@ -108,83 +108,6 @@ rules:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: camel-k
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
- name: camel-k-edit
-rules:
-- apiGroups:
- - camel.apache.org
- resources:
- - builds
- - camelcatalogs
- - integrationkits
- - integrationplatforms
- - integrationprofiles
- - integrations
- - pipes
- - kamelets
- verbs:
- - create
- - delete
- - deletecollection
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - camel.apache.org
- resources:
- - builds/status
- - camelcatalogs/status
- - integrationkits/status
- - integrationplatforms/status
- - integrationprofiles/status
- - integrations/scale
- - integrations/status
- - pipes/scale
- - pipes/status
- - kamelets/status
- verbs:
- - get
- - patch
- - update
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: camel-k
- name: camel-k-operator-bind-addressable-resolver
-rules:
-- apiGroups:
- - rbac.authorization.k8s.io
- resourceNames:
- - addressable-resolver
- resources:
- - clusterroles
- verbs:
- - bind
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app: camel-k
- name: camel-k-operator-custom-resource-definitions
-rules:
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
----
-apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
@@ -211,33 +134,3 @@ roleRef:
subjects:
- kind: ServiceAccount
name: camel-k-builder
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: camel-k
- name: camel-k-operator-bind-addressable-resolver
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: camel-k-operator-bind-addressable-resolver
-subjects:
-- kind: ServiceAccount
- name: camel-k-operator
- namespace: '{{ .Release.Namespace }}'
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app: camel-k
- name: camel-k-operator-custom-resource-definitions
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: camel-k-operator-custom-resource-definitions
-subjects:
-- kind: ServiceAccount
- name: camel-k-operator
- namespace: '{{ .Release.Namespace }}'
diff --git a/pkg/install/cluster.go b/pkg/install/cluster.go
index 616392bec..d12192d8b 100644
--- a/pkg/install/cluster.go
+++ b/pkg/install/cluster.go
@@ -33,7 +33,6 @@ import (
"github.com/apache/camel-k/v2/pkg/client"
"github.com/apache/camel-k/v2/pkg/resources"
- "github.com/apache/camel-k/v2/pkg/util/knative"
"github.com/apache/camel-k/v2/pkg/util/kubernetes"
ctrl "sigs.k8s.io/controller-runtime/pkg/client"
@@ -69,30 +68,6 @@ func SetupClusterWideResourcesOrCollect(
func installClusterRoles(
ctx context.Context, c client.Client, collection
*kubernetes.Collection, clusterType string,
) error {
- // ClusterRole: camel-k-edit
- ok, err := isClusterRoleInstalled(ctx, c, "camel-k-edit")
- if err != nil {
- return err
- }
- if !ok || collection != nil {
- err := installResource(ctx, c, collection,
"/config/rbac/user-cluster-role.yaml")
- if err != nil {
- return err
- }
- }
-
- // ClusterRole: camel-k-operator-custom-resource-definitions
- ok, err = isClusterRoleInstalled(ctx, c,
"camel-k-operator-custom-resource-definitions")
- if err != nil {
- return err
- }
- if !ok {
- if err := installResource(ctx, c, collection,
-
"/config/rbac/operator-cluster-role-custom-resource-definitions.yaml"); err !=
nil {
- return err
- }
- }
-
// === For OpenShift ===
// ClusterRole: camel-k-operator-console-openshift
isOpenShift, err := isOpenShift(c, clusterType)
@@ -112,25 +87,6 @@ func installClusterRoles(
}
}
- // === For Knative ===
- // ClusterRole: camel-k-operator-bind-addressable-resolver
- isKnative, err := knative.IsEventingInstalled(c)
- if err != nil {
- return err
- }
- if isKnative {
- ok, err := isClusterRoleInstalled(ctx, c,
"camel-k-operator-bind-addressable-resolver")
- if err != nil {
- return err
- }
- if !ok || collection != nil {
- err := installResource(ctx, c, collection,
"/config/rbac/operator-cluster-role-addressable-resolver.yaml")
- if err != nil {
- return err
- }
- }
- }
-
return nil
}
diff --git a/pkg/install/operator.go b/pkg/install/operator.go
index 9728ce737..039b2f58e 100644
--- a/pkg/install/operator.go
+++ b/pkg/install/operator.go
@@ -315,10 +315,6 @@ func OperatorOrCollect(ctx context.Context, cmd
*cobra.Command, c client.Client,
fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not
be able to create Leases. Try installing as cluster-admin to allow management
of Lease resources.")
}
- if err = installClusterRoleBinding(ctx, c, collection, cfg.Namespace,
"camel-k-operator-custom-resource-definitions",
"/config/rbac/operator-cluster-role-binding-custom-resource-definitions.yaml");
err != nil {
- fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not
be able to get CustomResourceDefinitions resources and the service-binding
trait will fail if used. Try installing the operator as cluster-admin.")
- }
-
if err = installNamespacedRoleBinding(ctx, c, collection,
cfg.Namespace, "/config/rbac/operator-role-binding-local-registry.yaml"); err
!= nil {
if !k8serrors.IsAlreadyExists(err) {
fmt.Fprintf(cmd.ErrOrStderr(), "Warning: the operator
may not be able to detect a local image registry (%s)\n", err.Error())
diff --git
a/pkg/resources/config/manifests/bases/camel-k.clusterserviceversion.yaml
b/pkg/resources/config/manifests/bases/camel-k.clusterserviceversion.yaml
index 98ee72c29..198cc5982 100644
--- a/pkg/resources/config/manifests/bases/camel-k.clusterserviceversion.yaml
+++ b/pkg/resources/config/manifests/bases/camel-k.clusterserviceversion.yaml
@@ -23,7 +23,7 @@ metadata:
categories: Integration & Delivery
certified: "false"
containerImage: docker.io/apache/camel-k:2.7.0-SNAPSHOT
- createdAt: 2025-02-19T10:13:23Z
+ createdAt: 2025-06-19T13:07:50Z
description: Apache Camel K is a lightweight integration platform, born on
Kubernetes,
with serverless superpowers.
operators.operatorframework.io/builder: operator-sdk-v1.16.0
diff --git a/pkg/resources/config/manifests/kustomization.yaml
b/pkg/resources/config/manifests/kustomization.yaml
index 111b96537..79c5c2444 100644
--- a/pkg/resources/config/manifests/kustomization.yaml
+++ b/pkg/resources/config/manifests/kustomization.yaml
@@ -31,8 +31,6 @@ resources:
- ../rbac
- ../rbac/namespaced
-patchesStrategicMerge:
-- patch-delete-user-cluster-role.yaml
images:
- name: docker.io/apache/camel-k
newName: docker.io/apache/camel-k
diff --git a/pkg/resources/config/manifests/patch-delete-user-cluster-role.yaml
b/pkg/resources/config/manifests/patch-delete-user-cluster-role.yaml
deleted file mode 100644
index e380103de..000000000
--- a/pkg/resources/config/manifests/patch-delete-user-cluster-role.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-# ---------------------------------------------------------------------------
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# ---------------------------------------------------------------------------
-
-$patch: delete
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: camel-k-edit
diff --git a/pkg/resources/config/rbac/kustomization.yaml
b/pkg/resources/config/rbac/kustomization.yaml
index a0c41da10..c1c7b13e2 100644
--- a/pkg/resources/config/rbac/kustomization.yaml
+++ b/pkg/resources/config/rbac/kustomization.yaml
@@ -22,11 +22,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- user-cluster-role.yaml
-- operator-cluster-role-custom-resource-definitions.yaml
-- operator-cluster-role-binding-custom-resource-definitions.yaml
-- operator-cluster-role-addressable-resolver.yaml
-- operator-cluster-role-binding-addressable-resolver.yaml
- builder-role.yaml
- builder-role-openshift.yaml
- builder-role-binding.yaml
diff --git
a/pkg/resources/config/rbac/operator-cluster-role-addressable-resolver.yaml
b/pkg/resources/config/rbac/operator-cluster-role-addressable-resolver.yaml
deleted file mode 100644
index 9428404cc..000000000
--- a/pkg/resources/config/rbac/operator-cluster-role-addressable-resolver.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-# ---------------------------------------------------------------------------
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# ---------------------------------------------------------------------------
-
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: camel-k-operator-bind-addressable-resolver
- labels:
- app: "camel-k"
-rules:
-- apiGroups:
- - rbac.authorization.k8s.io
- resources:
- - clusterroles
- resourceNames:
- - addressable-resolver
- verbs:
- - bind
diff --git
a/pkg/resources/config/rbac/operator-cluster-role-binding-addressable-resolver.yaml
b/pkg/resources/config/rbac/operator-cluster-role-binding-addressable-resolver.yaml
deleted file mode 100644
index 1c32ba085..000000000
---
a/pkg/resources/config/rbac/operator-cluster-role-binding-addressable-resolver.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-# ---------------------------------------------------------------------------
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# ---------------------------------------------------------------------------
-
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: camel-k-operator-bind-addressable-resolver
- labels:
- app: "camel-k"
-subjects:
-- kind: ServiceAccount
- name: camel-k-operator
-roleRef:
- kind: ClusterRole
- name: camel-k-operator-bind-addressable-resolver
- apiGroup: rbac.authorization.k8s.io
diff --git
a/pkg/resources/config/rbac/operator-cluster-role-binding-custom-resource-definitions.yaml
b/pkg/resources/config/rbac/operator-cluster-role-binding-custom-resource-definitions.yaml
deleted file mode 100644
index d73ce7c11..000000000
---
a/pkg/resources/config/rbac/operator-cluster-role-binding-custom-resource-definitions.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-# ---------------------------------------------------------------------------
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# ---------------------------------------------------------------------------
-
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: camel-k-operator-custom-resource-definitions
- labels:
- app: "camel-k"
-subjects:
-- kind: ServiceAccount
- name: camel-k-operator
-roleRef:
- kind: ClusterRole
- name: camel-k-operator-custom-resource-definitions
- apiGroup: rbac.authorization.k8s.io
diff --git
a/pkg/resources/config/rbac/operator-cluster-role-custom-resource-definitions.yaml
b/pkg/resources/config/rbac/operator-cluster-role-custom-resource-definitions.yaml
deleted file mode 100644
index 391e96c37..000000000
---
a/pkg/resources/config/rbac/operator-cluster-role-custom-resource-definitions.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-# ---------------------------------------------------------------------------
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# ---------------------------------------------------------------------------
-
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: camel-k-operator-custom-resource-definitions
- labels:
- app: "camel-k"
-rules:
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
diff --git a/pkg/resources/config/rbac/user-cluster-role.yaml
b/pkg/resources/config/rbac/user-cluster-role.yaml
deleted file mode 100644
index f731a0a9b..000000000
--- a/pkg/resources/config/rbac/user-cluster-role.yaml
+++ /dev/null
@@ -1,64 +0,0 @@
-# ---------------------------------------------------------------------------
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# ---------------------------------------------------------------------------
-
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: camel-k-edit
- labels:
- app: "camel-k"
- # Add these permissions to the "admin" and "edit" default roles.
- rbac.authorization.k8s.io/aggregate-to-admin: "true"
- rbac.authorization.k8s.io/aggregate-to-edit: "true"
-rules:
-- apiGroups:
- - camel.apache.org
- resources:
- - builds
- - camelcatalogs
- - integrationkits
- - integrationplatforms
- - integrationprofiles
- - integrations
- - pipes
- - kamelets
- verbs:
- - create
- - delete
- - deletecollection
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - camel.apache.org
- resources:
- - builds/status
- - camelcatalogs/status
- - integrationkits/status
- - integrationplatforms/status
- - integrationprofiles/status
- - integrations/scale
- - integrations/status
- - pipes/scale
- - pipes/status
- - kamelets/status
- verbs:
- - get
- - patch
- - update
