diff --git a/Dockerfile b/Dockerfile index 4782b22c1..c74d9e1b0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,7 +22,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:latest +FROM gcr.io/distroless/static-debian11:nonroot WORKDIR / COPY --from=builder /workspace/manager . ENTRYPOINT ["/manager"] diff --git a/charts/kafka-operator/templates/operator-deployment-with-webhook.yaml b/charts/kafka-operator/templates/operator-deployment-with-webhook.yaml index 365f91866..3bb05c3bf 100644 --- a/charts/kafka-operator/templates/operator-deployment-with-webhook.yaml +++ b/charts/kafka-operator/templates/operator-deployment-with-webhook.yaml @@ -213,7 +213,7 @@ spec: {{- end }} ports: {{- if .Values.webhook.enabled }} - - containerPort: {{ .Values.webhook.serverPort | default 443 }} + - containerPort: {{ .Values.webhook.serverPort | default 9443 }} name: webhook-server protocol: TCP {{- end }} diff --git a/charts/kafka-operator/templates/operator-rbac.yaml b/charts/kafka-operator/templates/operator-rbac.yaml index d8c8a44cc..371cee9c7 100644 --- a/charts/kafka-operator/templates/operator-rbac.yaml +++ b/charts/kafka-operator/templates/operator-rbac.yaml @@ -115,6 +115,63 @@ rules: - get - update - patch +- apiGroups: + - kafka.banzaicloud.io + resources: + - kafkaclusters/finalizers + verbs: + - create + - delete + - patch + - update +- apiGroups: + - kafka.banzaicloud.io + resources: + - kafkausers/finalizers + verbs: + - create + - delete + - patch + - update +- apiGroups: + - kafka.banzaicloud.io + resources: + - kafkatopics/finalizers + verbs: + - create + - delete + - patch + - update +- apiGroups: + - kafka.banzaicloud.io + resources: + - cruisecontroloperations + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - kafka.banzaicloud.io + resources: + - cruisecontroloperations/status + verbs: + - get + - patch + - update +- apiGroups: + - kafka.banzaicloud.io + resources: + - cruisecontroloperations/finalizers + verbs: + - create + - delete + - patch + - update - apiGroups: - "" resources: @@ -234,33 +291,6 @@ rules: - patch - update - watch -- apiGroups: - - kafka.banzaicloud.io - resources: - - cruisecontroloperations - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - kafka.banzaicloud.io - resources: - - cruisecontroloperations/finalizers - verbs: - - update -- apiGroups: - - kafka.banzaicloud.io - resources: - - cruisecontroloperations/status - verbs: - - get - - patch - - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/kafka-operator/templates/operator-service.yaml b/charts/kafka-operator/templates/operator-service.yaml index 1af4f9dfe..9de7062ca 100644 --- a/charts/kafka-operator/templates/operator-service.yaml +++ b/charts/kafka-operator/templates/operator-service.yaml @@ -28,9 +28,9 @@ spec: ports: - name: https port: 443 - targetPort: {{ (.Values.webhook).serverPort | default 443 }} + targetPort: webhook-server {{- if and .Values.prometheusMetrics.enabled (not .Values.prometheusMetrics.authProxy.enabled) }} - name: metrics port: 8080 - targetPort: {{ (.Values.metricEndpoint).port | default 8080 }} + targetPort: metrics {{- end }} diff --git a/config/base/rbac/role.yaml b/config/base/rbac/role.yaml index 62150dc45..58e792520 100644 --- a/config/base/rbac/role.yaml +++ b/config/base/rbac/role.yaml @@ -178,6 +178,9 @@ rules: resources: - cruisecontroloperations/finalizers verbs: + - create + - delete + - patch - update - apiGroups: - kafka.banzaicloud.io @@ -199,6 +202,15 @@ rules: - patch - update - watch +- apiGroups: + - kafka.banzaicloud.io + resources: + - kafkaclusters/finalizers + verbs: + - create + - delete + - patch + - update - apiGroups: - kafka.banzaicloud.io resources: @@ -220,6 +232,15 @@ rules: - patch - update - watch +- apiGroups: + - kafka.banzaicloud.io + resources: + - kafkatopics/finalizers + verbs: + - create + - delete + - patch + - update - apiGroups: - kafka.banzaicloud.io resources: @@ -241,6 +262,15 @@ rules: - patch - update - watch +- apiGroups: + - kafka.banzaicloud.io + resources: + - kafkausers/finalizers + verbs: + - create + - delete + - patch + - update - apiGroups: - kafka.banzaicloud.io resources: diff --git a/config/base/webhook/service.yaml b/config/base/webhook/service.yaml index b4861025a..31e0f8295 100644 --- a/config/base/webhook/service.yaml +++ b/config/base/webhook/service.yaml @@ -7,6 +7,6 @@ metadata: spec: ports: - port: 443 - targetPort: 443 + targetPort: 9443 selector: control-plane: controller-manager diff --git a/controllers/cruisecontroloperation_controller.go b/controllers/cruisecontroloperation_controller.go index 7ffe1d67a..1608a92ab 100644 --- a/controllers/cruisecontroloperation_controller.go +++ b/controllers/cruisecontroloperation_controller.go @@ -70,7 +70,7 @@ type CruiseControlOperationReconciler struct { // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=cruisecontroloperations,verbs=get;list;watch;create;update;patch;delete;deletecollection // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=cruisecontroloperations/status,verbs=get;update;patch -// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=cruisecontroloperations/finalizers,verbs=update +// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=cruisecontroloperations/finalizers,verbs=create;update;patch;delete //nolint:gocyclo func (r *CruiseControlOperationReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) { diff --git a/controllers/kafkacluster_controller.go b/controllers/kafkacluster_controller.go index 15366c667..74bbabbae 100644 --- a/controllers/kafkacluster_controller.go +++ b/controllers/kafkacluster_controller.go @@ -79,6 +79,7 @@ type KafkaClusterReconciler struct { // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkaclusters,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkaclusters/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkaclusters/finalizers,verbs=create;update;patch;delete // +kubebuilder:rbac:groups=servicemesh.cisco.com,resources=istiomeshgateways,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=networking.istio.io,resources=*,verbs=* diff --git a/controllers/kafkatopic_controller.go b/controllers/kafkatopic_controller.go index 228e6020d..496c36fbe 100644 --- a/controllers/kafkatopic_controller.go +++ b/controllers/kafkatopic_controller.go @@ -71,6 +71,7 @@ type KafkaTopicReconciler struct { // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkatopics,verbs=get;list;watch;create;update;patch;delete;deletecollection // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkatopics/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkatopics/finalizers,verbs=create;update;patch;delete // Reconcile reconciles the kafka topic func (r *KafkaTopicReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { diff --git a/controllers/kafkauser_controller.go b/controllers/kafkauser_controller.go index 169840bb8..ffe41e3fe 100644 --- a/controllers/kafkauser_controller.go +++ b/controllers/kafkauser_controller.go @@ -154,6 +154,7 @@ type KafkaUserReconciler struct { // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkausers,verbs=get;list;watch;create;update;patch;delete;deletecollection // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkausers/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkausers/finalizers,verbs=create;update;patch;delete // +kubebuilder:rbac:groups=cert-manager.io,resources=certificates,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cert-manager.io,resources=issuers,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cert-manager.io,resources=clusterissuers,verbs=get;list;watch;create;update;patch;delete diff --git a/go.mod b/go.mod index 850e024c9..41104e81a 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/banzaicloud/istio-client-go v0.0.17 github.com/banzaicloud/istio-operator/api/v2 v2.15.1 github.com/banzaicloud/k8s-objectmatcher v1.8.0 - github.com/banzaicloud/koperator/api v0.24.0 + github.com/banzaicloud/koperator/api v0.25.0 github.com/banzaicloud/koperator/properties v0.4.1 github.com/cert-manager/cert-manager v1.9.1 github.com/cisco-open/cluster-registry-controller/api v0.2.5 diff --git a/go.sum b/go.sum index 5c3729bb6..c51e92a87 100644 --- a/go.sum +++ b/go.sum @@ -100,8 +100,8 @@ github.com/banzaicloud/istio-operator/api/v2 v2.15.1 h1:BZg8COvoOJtfx/dgN7KpoOnc github.com/banzaicloud/istio-operator/api/v2 v2.15.1/go.mod h1:5qCpwWlIfxiLvBfTvT2mD2wp5RlFCDEt8Xql4sYPNBc= github.com/banzaicloud/k8s-objectmatcher v1.8.0 h1:Nugn25elKtPMTA2br+JgHNeSQ04sc05MDPmpJnd1N2A= github.com/banzaicloud/k8s-objectmatcher v1.8.0/go.mod h1:p2LSNAjlECf07fbhDyebTkPUIYnU05G+WfGgkTmgeMg= -github.com/banzaicloud/koperator/api v0.24.0 h1:RwhKWy8umzpKhKEa0J6xgvv5wOU37ti3A9JqIjCHrDk= -github.com/banzaicloud/koperator/api v0.24.0/go.mod h1:qvpewvjdELAnfO70vg9397CXZ4K4uHxpiWtf5fhKSrQ= +github.com/banzaicloud/koperator/api v0.25.0 h1:cRfoWRUThrAEVnszeeXJkz42gNGezonl3+bGdvbxkNQ= +github.com/banzaicloud/koperator/api v0.25.0/go.mod h1:qvpewvjdELAnfO70vg9397CXZ4K4uHxpiWtf5fhKSrQ= github.com/banzaicloud/koperator/properties v0.4.1 h1:SB2QgXlcK1Dc7Z1rg65PJifErDa8OQnoWCCJgmC7SGc= github.com/banzaicloud/koperator/properties v0.4.1/go.mod h1:TcL+llxuhW3UeQtVEDYEXGouFLF2P+LuZZVudSb6jyA= github.com/banzaicloud/operator-tools v0.28.0 h1:GSfc0qZr6zo7WrNxdgWZE1LcTChPU8QFYOTDirYVtIM= diff --git a/main.go b/main.go index cb015ed06..8f821677f 100644 --- a/main.go +++ b/main.go @@ -97,7 +97,7 @@ func main() { "Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.") flag.BoolVar(&webhookDisabled, "disable-webhooks", false, "Disable webhooks used to validate custom resources") flag.StringVar(&webhookCertDir, "tls-cert-dir", "/etc/webhook/certs", "The directory with a tls.key and tls.crt for serving HTTPS requests") - flag.IntVar(&webhookServerPort, "webhook-server-port", 443, "The port that the webhook server serves at") + flag.IntVar(&webhookServerPort, "webhook-server-port", 9443, "The port that the webhook server serves at") flag.BoolVar(&developmentLogging, "development", false, "Enable development logging") flag.BoolVar(&verboseLogging, "verbose", false, "Enable verbose logging") flag.BoolVar(&certManagerEnabled, "cert-manager-enabled", false, "Enable cert-manager integration") diff --git a/pkg/resources/envoy/deployment.go b/pkg/resources/envoy/deployment.go index e66c7100b..e3afb79df 100644 --- a/pkg/resources/envoy/deployment.go +++ b/pkg/resources/envoy/deployment.go @@ -117,6 +117,7 @@ func (r *Reconciler) deployment(log logr.Logger, extListener v1beta1.ExternalLis Resources: *ingressConfig.EnvoyConfig.GetResources(), }, }, + SecurityContext: ingressConfig.EnvoyConfig.GetPodSecurityContext(), Volumes: volumes, PriorityClassName: ingressConfig.EnvoyConfig.GetPriorityClassName(), },