From 6368b42ed5b690cc354b3a1306b47662312b71b3 Mon Sep 17 00:00:00 2001 From: Bin Liu Date: Thu, 18 May 2023 15:48:46 +0800 Subject: [PATCH] fix providerServiceAccountRBACRules to remove ResourceNames The issue is that Antrea addon controller needs to create a ClusterRole to allow tkg controllers to read all NSXServiceAccount CRs, however, the Antrea addon controller wrongly adds the specific NSXServiceAccount name (instead of all) restriction to the permission. This only allows the tkg controllers to read a specific NSXServiceAccount instead all NSXServiceAccounts. So if the Cluster is created one by one, customer will not hit this bug. For each cluster, Antrea addon controller updates the ClusterRole with the current NSXServiceAccount name for the current Cluster. If the Clusters are created in batch, all controllers need to process Clusters in parallel, chances are Antrea addon controller specifies a specific NSXServiceAccount name for Cluster A, but tkg controllers are processing Cluster B, then tkg controllers will fail to read NSXServiceAccount. Signed-off-by: Bin Liu --- .../antrea/antreaconfig_controller.go | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/addons/controllers/antrea/antreaconfig_controller.go b/addons/controllers/antrea/antreaconfig_controller.go index f23fcb1e4f..721ddd4a56 100644 --- a/addons/controllers/antrea/antreaconfig_controller.go +++ b/addons/controllers/antrea/antreaconfig_controller.go @@ -279,21 +279,17 @@ func (r *AntreaConfigReconciler) ensureProviderServiceAccount(ctx context.Contex return err } clusterName, _ := getClusterName(antreaConfig) - nsxSAName := clusterName + "-antrea" - nsxSecretName := clusterName + "-antrea-nsx-cert" clusterName = vsphereCluster.Name providerServiceAccountRBACRules := []rbacv1.PolicyRule{ { - APIGroups: []string{nsxServiceAccountAPIGroup}, - Resources: []string{nsxServiceAccountKind}, - ResourceNames: []string{nsxSAName}, - Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{nsxServiceAccountAPIGroup}, + Resources: []string{nsxServiceAccountKind}, + Verbs: []string{"get", "list", "watch"}, }, { - APIGroups: []string{""}, - Resources: []string{"secrets"}, - ResourceNames: []string{fmt.Sprintf(nsxSecretName)}, - Verbs: []string{"get", "list", "watch"}, + APIGroups: []string{""}, + Resources: []string{"secrets"}, + Verbs: []string{"get", "list", "watch"}, }, } _, err = controllerutil.CreateOrPatch(ctx, r.Client, vsphereAntreaConfigProviderServiceAccountAggregatedClusterRole, func() error {