From e9a75f3ccc61ee56043a5e7998e4c84dbda3dff4 Mon Sep 17 00:00:00 2001
From: Ronny Baturov <rbaturov@redhat.com>
Date: Wed, 1 Jan 2025 19:56:46 +0200
Subject: [PATCH 1/2] Refined RBAC configuration for Service management

* Added a Role and RoleBinding for the manager pod, allowing the operator to manage Services exclusively within the NROP namespace.
* Removed the Service-related RBAC permissions previously granted in the ClusterRole.

Signed-off-by: Ronny Baturov <rbaturov@redhat.com>
---
 ...ger-role_rbac.authorization.k8s.io_v1_role.yaml | 12 ++++++++++++
 ...maresources-operator.clusterserviceversion.yaml |  9 +++++++--
 config/rbac/role.yaml                              | 14 +++++++++++++-
 config/rbac/role_binding.yaml                      | 13 +++++++++++++
 controllers/numaresourcesoperator_controller.go    |  3 +--
 5 files changed, 46 insertions(+), 5 deletions(-)
 create mode 100644 bundle/manifests/numaresources-manager-role_rbac.authorization.k8s.io_v1_role.yaml

diff --git a/bundle/manifests/numaresources-manager-role_rbac.authorization.k8s.io_v1_role.yaml b/bundle/manifests/numaresources-manager-role_rbac.authorization.k8s.io_v1_role.yaml
new file mode 100644
index 000000000..688bbbaae
--- /dev/null
+++ b/bundle/manifests/numaresources-manager-role_rbac.authorization.k8s.io_v1_role.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: numaresources-manager-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - '*'
diff --git a/bundle/manifests/numaresources-operator.clusterserviceversion.yaml b/bundle/manifests/numaresources-operator.clusterserviceversion.yaml
index ce4de29ba..e888c37d5 100644
--- a/bundle/manifests/numaresources-operator.clusterserviceversion.yaml
+++ b/bundle/manifests/numaresources-operator.clusterserviceversion.yaml
@@ -62,7 +62,7 @@ metadata:
         }
       ]
     capabilities: Basic Install
-    createdAt: "2024-12-19T08:31:49Z"
+    createdAt: "2025-01-01T17:56:52Z"
     olm.skipRange: '>=4.18.0 <4.19.0'
     operatorframework.io/cluster-monitoring: "true"
     operators.operatorframework.io/builder: operator-sdk-v1.36.1
@@ -359,7 +359,6 @@ spec:
           resources:
           - configmaps
           - serviceaccounts
-          - services
           verbs:
           - '*'
         - apiGroups:
@@ -600,6 +599,12 @@ spec:
           verbs:
           - create
           - patch
+        - apiGroups:
+          - ""
+          resources:
+          - services
+          verbs:
+          - '*'
         serviceAccountName: numaresources-controller-manager
     strategy: deployment
   installModes:
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 3425f69b5..c2aeb4e47 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -9,7 +9,6 @@ rules:
   resources:
   - configmaps
   - serviceaccounts
-  - services
   verbs:
   - '*'
 - apiGroups:
@@ -132,3 +131,16 @@ rules:
   - get
   - list
   - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-role
+  namespace: numaresources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - '*'
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
index 2070ede44..5a040a5d2 100644
--- a/config/rbac/role_binding.yaml
+++ b/config/rbac/role_binding.yaml
@@ -10,3 +10,16 @@ subjects:
 - kind: ServiceAccount
   name: controller-manager
   namespace: system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: manager-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system
\ No newline at end of file
diff --git a/controllers/numaresourcesoperator_controller.go b/controllers/numaresourcesoperator_controller.go
index 6120bee4d..3b3a57c61 100644
--- a/controllers/numaresourcesoperator_controller.go
+++ b/controllers/numaresourcesoperator_controller.go
@@ -101,7 +101,7 @@ type NUMAResourcesOperatorReconciler struct {
 // TODO: narrow down
 
 // Namespace Scoped
-// TODO
+//+kubebuilder:rbac:groups="",resources=services,verbs=*,namespace="numaresources"
 
 // Cluster Scoped
 //+kubebuilder:rbac:groups=topology.node.k8s.io,resources=noderesourcetopologies,verbs=get;list;create;update
@@ -122,7 +122,6 @@ type NUMAResourcesOperatorReconciler struct {
 //+kubebuilder:rbac:groups=nodetopology.openshift.io,resources=numaresourcesoperators,verbs=*
 //+kubebuilder:rbac:groups=nodetopology.openshift.io,resources=numaresourcesoperators/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=nodetopology.openshift.io,resources=numaresourcesoperators/finalizers,verbs=update
-//+kubebuilder:rbac:groups="",resources=services,verbs=*
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

From 04fd7e41eb43de339772bcb6ecbb6908f215fc2d Mon Sep 17 00:00:00 2001
From: Ronny Baturov <rbaturov@redhat.com>
Date: Wed, 1 Jan 2025 16:24:04 +0200
Subject: [PATCH 2/2] Scoped cache config for NROP namespace and cluster
 resources

This ensures the informer can successfully watch and list Service objects.
  Without this restriction, the operator will encounter the following failures:
   reflector.go:561] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: failed to list *v1.Service: services is forbidden: User "system:serviceaccount:numaresources:numaresources-controller-manager" cannot list resource "services" in API group "" at the cluster scope
   reflector.go:158] "Unhandled Error" err="sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:106: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:numaresources:numaresources-controller-manager\" cannot list resource \"services\" in API group \"\" at the cluster scope" logger="UnhandledError"

Signed-off-by: Ronny Baturov <rbaturov@redhat.com>
---
 main.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/main.go b/main.go
index 46309b990..42f58d8bf 100644
--- a/main.go
+++ b/main.go
@@ -34,6 +34,7 @@ import (
 	securityv1 "github.com/openshift/api/security/v1"
 	machineconfigv1 "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	k8sruntime "k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -235,7 +236,12 @@ func main() {
 	klog.InfoS("metrics server", "enabled", params.enableMetrics, "addr", params.metricsAddr)
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Cache:  cache.Options{}, // TODO: restrict namespace here?
+		Cache: cache.Options{
+			DefaultNamespaces: map[string]cache.Config{
+				namespace:            {},
+				metav1.NamespaceNone: {},
+			},
+		},
 		Scheme: scheme,
 		Metrics: metricsserver.Options{
 			BindAddress:   params.metricsAddr,