fix(rbac): update role bindings and permissions for user management (#6577)

cuisongliu · web-flow · commit 913fe9e64c71 · 2026-01-23T11:42:20.000+08:00
diff --git a/controllers/user/main.go b/controllers/user/main.go
@@ -62,7 +62,6 @@ func main() {
 		metricsAddr                string
 		enableLeaderElection       bool
 		probeAddr                  string
-		configFilePath             string
 		rateLimiterOptions         ratelimiter.RateLimiterOptions
 		syncPeriod                 time.Duration
 		minRequeueDuration         time.Duration
@@ -125,12 +124,6 @@ func main() {
 		time.Hour*2,
 		"Sets the restrat predicate time duration for user controller restart. By default, the duration is set to 2 hours.",
 	)
-	flag.StringVar(
-		&configFilePath,
-		"config-file-path",
-		"/config.yaml",
-		"The path to the configuration file.",
-	)
 	flag.BoolVar(
 		&secureMetrics,
 		"metrics-secure",
@@ -243,9 +236,13 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "Operationrequest")
 		os.Exit(1)
 	}
-	if err = (&userv1.Operationrequest{}).SetupWebhookWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create webhook", "webhook", "Operationrequest")
-		os.Exit(1)
+	if os.Getenv("DISABLE_WEBHOOKS") == "true" {
+		setupLog.Info("disable all webhooks")
+	} else {
+		if err = (&userv1.Operationrequest{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create webhook", "webhook", "Operationrequest")
+			os.Exit(1)
+		}
 	}
 	if err = (&controllers.DeleteRequestReconciler{
 		Client: mgr.GetClient(),
diff --git a/frontend/desktop/deploy/manifests/rbac.yaml b/frontend/desktop/deploy/manifests/rbac.yaml
@@ -3,51 +3,70 @@ kind: ClusterRole
 metadata:
   name: auth-system-manager-role
 rules:
-  - apiGroups: ["user.sealos.io"]
-    resources: ["users"]
-    verbs: ["list", "get", "create", "update", "patch", "watch"]
-  - apiGroups: ["user.sealos.io"]
-    resources: ["users/status"]
-    verbs: ["list", "get", "create", "update", "patch", "watch"]
-  - apiGroups: ["user.sealos.io"]
-    resources: ["operationrequests", "deleterequests"]
-    verbs: ["create", "get"]
+  - apiGroups:
+      - user.sealos.io
+    resources:
+      - users
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - user.sealos.io
+    resources:
+      - users/status
+    verbs:
+      - get
+  - apiGroups:
+      - user.sealos.io
+    resources:
+      - operationrequests
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - user.sealos.io
+    resources:
+      - operationrequests/status
+    verbs:
+      - get
+  - apiGroups:
+      - user.sealos.io
+    resources:
+      - deleterequests
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - user.sealos.io
+    resources:
+      - deleterequests/status
+    verbs:
+      - get
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: desktop-user-editor-role-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: user-editor-role
-subjects:
-  - kind: ServiceAccount
-    name: desktop-frontend
-    namespace: sealos
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: desktop-operationrequest-editor-role-binding
+  name: desktop-user-role-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: operationrequest-editor-role
-subjects:
-  - kind: ServiceAccount
-    name: desktop-frontend
-    namespace: sealos
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: desktop-deleterequest-editor-role-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: deleterequest-editor-role
+  name: auth-system-manager-role
 subjects:
   - kind: ServiceAccount
     name: desktop-frontend
diff --git a/frontend/desktop/deploy/scripts/init.sh b/frontend/desktop/deploy/scripts/init.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 set -e
+kubectl delete clusterrolebinding desktop-deleterequest-editor-role-binding --ignore-not-found=true
+kubectl delete clusterrolebinding desktop-operationrequest-editor-role-binding --ignore-not-found=true
+kubectl delete clusterrolebinding desktop-user-editor-role-binding --ignore-not-found=true
+
 kubectl apply -f manifests/deploy.yaml -f manifests/rbac.yaml -f manifests/ingress.yaml
 cm_exists=$(kubectl get cm desktop-frontend-config -n sealos --ignore-not-found=true)
 if [[ -n "$cm_exists" ]]; then
