Two identical Kubebuilders in different CRs with *

[OdedViner]

Bug Report

When there are two identical Kubebuilders [same groups ] in different CRs and the verb in one of them is * then we need to add a condition that verbs=* and not verbs=*+[list, update...]

In this example:

controllers/storagecluster/reconcile.go
// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=*
func (r *StorageClusterReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {

controllers/storagerequest/storagerequest_controller.go
// +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=get;list;watch;create;update;patch;delete
func (r *StorageRequestReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {


config/rbac/role.yaml
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - '*'
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
https://github.com/red-hat-storage/ocs-operator/blob/main/config/rbac/role.yaml#L409-L421

What did you do?

What did you expect to see?

astricks+[get,list,create]=astricks

What did you see instead? Under which circumstances?

Environment

Operator type:
Golang

Kubernetes cluster type:
Openshift

$ operator-sdk version

$ go version (if language is Go)
$ go version
go version go1.22.3 linux/amd64

$ kubectl version

Possible Solution

Additional context

[acornett21]

Hi @OdedViner since this is about kubebuilder, this issue is probably best opened in that project.

[OdedViner]

@acornett21 done kubernetes-sigs/kubebuilder#4222