refactor: use controller-gen for rbac in poddefaults-webhook (#215)

thesuperzapper · web-flow · commit 8d08130047db · 2026-02-19T23:46:31.000Z
Signed-off-by: Mathew Wicks &lt;5735406+thesuperzapper@users.noreply.github.com&gt;
diff --git a/components/poddefaults-webhooks/Makefile b/components/poddefaults-webhooks/Makefile
@@ -14,8 +14,9 @@ endif
 
 .PHONY: manifests
 manifests: controller-gen ## Generate CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) crd paths="./..." \
-		output:crd:artifacts:config=manifests/kustomize/base
+	$(CONTROLLER_GEN) rbac:roleName=poddefaults-webhook-cluster-role crd paths="./..." \
+		output:crd:artifacts:config=manifests/kustomize/base \
+		output:rbac:artifacts:config=manifests/kustomize/base
 
 	mv manifests/kustomize/base/kubeflow.org_poddefaults.yaml manifests/kustomize/base/crd.yaml
 
diff --git a/components/poddefaults-webhooks/main.go b/components/poddefaults-webhooks/main.go
@@ -42,6 +42,8 @@ import (
 	"k8s.io/klog"
 )
 
+// +kubebuilder:rbac:groups=kubeflow.org,resources=poddefaults,verbs=create;delete;get;list;patch;update;watch
+
 const (
 	annotationPrefix        = "poddefault.admission.kubeflow.org"
 	istioProxyContainerName = "istio-proxy"
diff --git a/components/poddefaults-webhooks/manifests/kustomize/base/crd.yaml b/components/poddefaults-webhooks/manifests/kustomize/base/crd.yaml
@@ -4561,3 +4561,5 @@ spec:
         type: object
     served: true
     storage: true
+    subresources:
+      status: {}
diff --git a/components/poddefaults-webhooks/manifests/kustomize/base/kustomization.yaml b/components/poddefaults-webhooks/manifests/kustomize/base/kustomization.yaml
@@ -4,11 +4,11 @@ kind: Kustomization
 namespace: kubeflow
 
 resources:
-  - cluster-role-binding.yaml
-  - cluster-role.yaml
   - crd.yaml
   - deployment.yaml
   - mutating-webhook-configuration.yaml
+  - role.yaml
+  - role_binding.yaml
   - service-account.yaml
   - service.yaml
   - user_cluster_roles.yaml
diff --git a/components/poddefaults-webhooks/manifests/kustomize/base/role.yaml b/components/poddefaults-webhooks/manifests/kustomize/base/role.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -8,10 +9,10 @@ rules:
   resources:
   - poddefaults
   verbs:
+  - create
+  - delete
   - get
-  - watch
   - list
-  - update
-  - create
   - patch
-  - delete
+  - update
+  - watch
diff --git a/components/poddefaults-webhooks/manifests/kustomize/base/role_binding.yaml b/components/poddefaults-webhooks/manifests/kustomize/base/role_binding.yaml
diff --git a/components/poddefaults-webhooks/pkg/apis/settings/v1alpha1/poddefault_types.go b/components/poddefaults-webhooks/pkg/apis/settings/v1alpha1/poddefault_types.go
@@ -20,13 +20,16 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+// Important: Run "make" to regenerate code after modifying this file
+
+/*
+===============================================================================
+                               PodDefault - Spec
+===============================================================================
+*/
 
 // PodDefaultSpec defines the desired state of PodDefault
 type PodDefaultSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
 
 	// Selector is a label query over a set of resources, in this case pods.
 	// Required.
@@ -88,21 +91,28 @@ type PodDefaultSpec struct {
 	ImagePullSecrets []v1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 }
 
+/*
+===============================================================================
+                              PodDefault - Status
+===============================================================================
+*/
+
 // PodDefaultStatus defines the observed state of PodDefault
 type PodDefaultStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
 }
 
-// +genclient
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+/*
+===============================================================================
+                                   PodDefault
+===============================================================================
+*/
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=poddefaults
+// +kubebuilder:subresource:status
 
 // PodDefault is the Schema for the poddefaults API
-// +k8s:openapi-gen=true
-// +kubebuilder:resource:path=poddefaults
-// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;watch;list;update
-// +kubebuilder:rbac:groups=,resources=events,verbs=create;patch;update
-// +kubebuilder:informers:group=apps,version=v1,kind=Deployment
 type PodDefault struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -111,7 +121,13 @@ type PodDefault struct {
 	Status PodDefaultStatus `json:"status,omitempty"`
 }
 
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+/*
+===============================================================================
+                                 PodDefaultList
+===============================================================================
+*/
+
+// +kubebuilder:object:root=true
 
 // PodDefaultList contains a list of PodDefault
 type PodDefaultList struct {

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,8 @@ import (`
`42`	`42`	`"k8s.io/klog"`
`43`	`43`	`)`
`44`	`44`
	`45`	`+// +kubebuilder:rbac:groups=kubeflow.org,resources=poddefaults,verbs=create;delete;get;list;patch;update;watch`
	`46`	`+`
`45`	`47`	`const (`
`46`	`48`	`annotationPrefix = "poddefault.admission.kubeflow.org"`
`47`	`49`	`istioProxyContainerName = "istio-proxy"`