add system:aro-sre clusterrole and clusterrolebinding

Makefile

@@ -24,6 +24,11 @@ clean:
 client: generate
 	hack/build-client.sh 2020-04-30 2021-01-31-preview
 
+discoverycache:
+	$(MAKE) admin.kubeconfig
+	KUBECONFIG=admin.kubeconfig go run ./hack/gendiscoverycache
+	$(MAKE) generate
+
 generate:
 	go generate ./...
 
@@ -119,4 +124,4 @@ vendor:
 	# https://groups.google.com/forum/#!topic/golang-nuts/51-D_YFC78k
 	hack/update-go-module-dependencies.sh
 
-.PHONY: admin.kubeconfig aro az clean client generate image-aro image-fluentbit image-proxy image-routefix lint-go proxy publish-image-aro publish-image-fluentbit publish-image-proxy publish-image-routefix secrets secrets-update e2e.test test-e2e test-go test-python vendor
+.PHONY: admin.kubeconfig aro az clean client discoverycache generate image-aro image-fluentbit image-proxy image-routefix lint-go proxy publish-image-aro publish-image-fluentbit publish-image-proxy publish-image-routefix secrets secrets-update e2e.test test-e2e test-go test-python vendor

cmd/aro/operator.go

@@ -26,9 +26,11 @@ import (
 	"github.com/Azure/ARO-RP/pkg/operator/controllers/genevalogging"
 	"github.com/Azure/ARO-RP/pkg/operator/controllers/monitoring"
 	"github.com/Azure/ARO-RP/pkg/operator/controllers/pullsecret"
+	"github.com/Azure/ARO-RP/pkg/operator/controllers/rbac"
 	"github.com/Azure/ARO-RP/pkg/operator/controllers/routefix"
 	"github.com/Azure/ARO-RP/pkg/operator/controllers/workaround"
 	"github.com/Azure/ARO-RP/pkg/util/deployment"
+	"github.com/Azure/ARO-RP/pkg/util/dynamichelper"
 	utillog "github.com/Azure/ARO-RP/pkg/util/log"
 	// +kubebuilder:scaffold:imports
 )
@@ -82,6 +84,10 @@ func operator(ctx context.Context, log *logrus.Entry) error {
 	if err != nil {
 		return err
 	}
+	dh, err := dynamichelper.New(log, restConfig)
+	if err != nil {
+		return err
+	}
 
 	if role == pkgoperator.RoleMaster {
 		if err = (genevalogging.NewReconciler(
@@ -115,6 +121,11 @@ func operator(ctx context.Context, log *logrus.Entry) error {
 			kubernetescli)).SetupWithManager(mgr); err != nil {
 			return fmt.Errorf("unable to create controller Monitoring: %v", err)
 		}
+		if err = (rbac.NewReconciler(
+			log.WithField("controller", controllers.RBACControllerName),
+			arocli, dh)).SetupWithManager(mgr); err != nil {
+			return fmt.Errorf("unable to create controller RBAC: %v", err)
+		}
 	}
 
 	if err = (checker.NewReconciler(

hack/gendiscoverycache/compact.go

@@ -0,0 +1,100 @@
+package main
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"sort"
+	"strings"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+func compactVerbs(in []rbacv1.PolicyRule) []rbacv1.PolicyRule {
+	out := make([]rbacv1.PolicyRule, 0, len(in))
+	m := map[schema.GroupResource]map[string]struct{}{}
+
+	for _, r := range in {
+		if len(r.NonResourceURLs) > 0 ||
+			len(r.ResourceNames) > 0 ||
+			len(r.APIGroups) != 1 ||
+			len(r.Resources) != 1 {
+			out = append(out, r)
+			continue
+		}
+
+		k := schema.GroupResource{Group: r.APIGroups[0], Resource: r.Resources[0]}
+		for _, v := range r.Verbs {
+			if m[k] == nil {
+				m[k] = map[string]struct{}{}
+			}
+			m[k][v] = struct{}{}
+		}
+	}
+
+	for gr, verbs := range m {
+		pr := &rbacv1.PolicyRule{
+			APIGroups: []string{gr.Group},
+			Resources: []string{gr.Resource},
+		}
+
+		for v := range verbs {
+			pr.Verbs = append(pr.Verbs, v)
+		}
+		sort.Strings(pr.Verbs)
+
+		out = append(out, *pr)
+	}
+
+	return out
+}
+
+func compactResources(in []rbacv1.PolicyRule) []rbacv1.PolicyRule {
+	out := make([]rbacv1.PolicyRule, 0, len(in))
+	type groupVerbs struct {
+		Group string
+		Verbs string
+	}
+	m := map[groupVerbs]map[string]struct{}{}
+
+	for _, r := range in {
+		if len(r.NonResourceURLs) > 0 ||
+			len(r.ResourceNames) > 0 ||
+			len(r.APIGroups) != 1 {
+			out = append(out, r)
+			continue
+		}
+
+		k := groupVerbs{Group: r.APIGroups[0], Verbs: strings.Join(r.Verbs, "/")}
+		for _, r := range r.Resources {
+			if m[k] == nil {
+				m[k] = map[string]struct{}{}
+			}
+			m[k][r] = struct{}{}
+		}
+	}
+
+	for gv, resources := range m {
+		pr := &rbacv1.PolicyRule{
+			APIGroups: []string{gv.Group},
+			Verbs:     strings.Split(gv.Verbs, "/"),
+		}
+
+		for r := range resources {
+			pr.Resources = append(pr.Resources, r)
+		}
+		sort.Strings(pr.Resources)
+
+		out = append(out, *pr)
+	}
+
+	return out
+}
+
+func compactRules(rules []rbacv1.PolicyRule) []rbacv1.PolicyRule {
+	rules = compactVerbs(rules)
+	rules = compactResources(rules)
+
+	return rules
+}

hack/gendiscoverycache/gendiscoverycache.go

@@ -4,96 +4,34 @@ package main
 // Licensed under the Apache License 2.0.
 
 import (
-	"context"
 	"encoding/json"
-	"errors"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 	"sort"
 	"strings"
 
-	configv1 "github.com/openshift/api/config/v1"
-	configclient "github.com/openshift/client-go/config/clientset/versioned"
-	"github.com/sirupsen/logrus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/discovery/cached/disk"
-	"k8s.io/client-go/tools/clientcmd"
-
-	utillog "github.com/Azure/ARO-RP/pkg/util/log"
+	"k8s.io/client-go/rest"
 )
 
-const discoveryCacheDir = "pkg/util/dynamichelper/discovery/cache"
-
-func run(ctx context.Context, log *logrus.Entry) error {
-	kubeconfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
-		clientcmd.NewDefaultClientConfigLoadingRules(),
-		&clientcmd.ConfigOverrides{},
-	)
-
-	restconfig, err := kubeconfig.ClientConfig()
-	if err != nil {
-		return err
-	}
-
-	configcli, err := configclient.NewForConfig(restconfig)
-	if err != nil {
-		return err
-	}
-
-	clusterVersion, err := getClusterVersion(ctx, configcli)
-	if err != nil {
-		return err
-	}
-
-	err = os.RemoveAll(discoveryCacheDir)
-	if err != nil {
-		return err
-	}
-
+func genDiscoveryCache(restconfig *rest.Config) error {
 	cli, err := disk.NewCachedDiscoveryClientForConfig(restconfig, discoveryCacheDir, "", 0)
 	if err != nil {
 		return err
 	}
 
-	return writeAssets(cli, clusterVersion, discoveryCacheDir)
-}
-
-func getClusterVersion(ctx context.Context, configcli configclient.Interface) (string, error) {
-	cv, err := configcli.ConfigV1().ClusterVersions().Get(ctx, "version", metav1.GetOptions{})
-	if err != nil {
-		return "", err
-	}
-
-	for _, history := range cv.Status.History {
-		if history.State == configv1.CompletedUpdate {
-			return history.Version, nil
-		}
-	}
-
-	// Should never happen as a successfully created cluster
-	// should have at least one completed update.
-	return "", errors.New("could find actual cluster version")
-}
-
-func writeAssets(cli discovery.DiscoveryInterface, clusterVersion, cacheDir string) error {
-	_, _, err := cli.ServerGroupsAndResources()
+	_, _, err = cli.ServerGroupsAndResources()
 	if err != nil {
 		return err
 	}
 
-	versionPath := filepath.Join(cacheDir, "assets_version")
-	err = ioutil.WriteFile(versionPath, []byte(clusterVersion+"\n"), 0666)
-	if err != nil {
-		return err
-	}
-
-	return canonicalizeAssets(cacheDir)
+	return canonicalizeAssets()
 }
 
-func canonicalizeAssets(cacheDir string) error {
-	return filepath.Walk(cacheDir, func(path string, info os.FileInfo, err error) error {
+func canonicalizeAssets() error {
+	return filepath.Walk(discoveryCacheDir, func(path string, info os.FileInfo, err error) error {
 		if err != nil {
 			return err
 		}
@@ -160,11 +98,3 @@ func canonicalizeServerResources(path string) error {
 
 	return ioutil.WriteFile(path, append(b, '\n'), 0666)
 }
-
-func main() {
-	log := utillog.GetLogger()
-
-	if err := run(context.Background(), log); err != nil {
-		log.Fatal(err)
-	}
-}

hack/gendiscoverycache/genrbac.go

@@ -0,0 +1,135 @@
+package main
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"fmt"
+	"os"
+	"sort"
+	"strings"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer/json"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+)
+
+func genRBAC(restconfig *rest.Config) error {
+	cli, err := discovery.NewDiscoveryClientForConfig(restconfig)
+	if err != nil {
+		return err
+	}
+
+	r := &rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "system:aro-sre",
+		},
+	}
+
+	err = walk(cli, func(group string, apiresource *metav1.APIResource) {
+		r.Rules = append(r.Rules, sreRules(group, apiresource)...)
+	})
+	if err != nil {
+		return err
+	}
+
+	r.Rules = compactRules(r.Rules)
+
+	sort.SliceStable(r.Rules, func(i, j int) bool { return strings.Compare(r.Rules[i].Resources[0], r.Rules[j].Resources[0]) < 0 })
+	sort.SliceStable(r.Rules, func(i, j int) bool { return strings.Compare(r.Rules[i].APIGroups[0], r.Rules[j].APIGroups[0]) < 0 })
+
+	r.Rules = append(r.Rules, rbacv1.PolicyRule{
+		NonResourceURLs: []string{rbacv1.NonResourceAll},
+		Verbs:           []string{"get"},
+	})
+
+	serializer := json.NewSerializerWithOptions(
+		json.DefaultMetaFactory, scheme.Scheme, scheme.Scheme,
+		json.SerializerOptions{Yaml: true},
+	)
+
+	yaml := scheme.Codecs.CodecForVersions(serializer, nil, schema.GroupVersions(scheme.Scheme.PrioritizedVersionsAllGroups()), nil)
+
+	f, err := os.Create("pkg/operator/controllers/rbac/staticresources/clusterrole.yaml")
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	_, err = fmt.Fprintln(f, "# Code generated by hack/gendiscoverycache; DO NOT EDIT.")
+	if err != nil {
+		return err
+	}
+
+	return yaml.Encode(r, f)
+}
+
+func walk(cli discovery.DiscoveryInterface, f func(string, *metav1.APIResource)) error {
+	_, resources, err := cli.ServerGroupsAndResources()
+	if err != nil {
+		return err
+	}
+
+	for _, apiresources := range resources {
+		gv, err := schema.ParseGroupVersion(apiresources.GroupVersion)
+		if err != nil {
+			return err
+		}
+
+		for _, apiresource := range apiresources.APIResources {
+			f(gv.Group, &apiresource)
+		}
+	}
+
+	return nil
+}
+
+func sreRules(group string, apiresource *metav1.APIResource) (prs []rbacv1.PolicyRule) {
+	if group == "oauth.openshift.io" {
+		return
+	}
+
+	if group == "" && apiresource.Name == "secrets" {
+		return
+	}
+
+	if strings.ContainsRune(apiresource.Name, '/') &&
+		!strings.HasSuffix(apiresource.Name, "/log") {
+		return
+	}
+
+	for _, verb := range apiresource.Verbs {
+		if isReadOnly(group, apiresource, verb) {
+			prs = append(prs, rbacv1.PolicyRule{
+				APIGroups: []string{group},
+				Resources: []string{apiresource.Name},
+				Verbs:     []string{verb},
+			})
+		}
+	}
+
+	return
+}
+
+func isReadOnly(group string, apiresource *metav1.APIResource, verb string) bool {
+	switch verb {
+	case "get", "list", "watch":
+		return true
+	case "create":
+		gr := schema.GroupResource{Group: group, Resource: apiresource.Name}.String()
+		switch gr {
+		case "tokenreviews.authentication.k8s.io",
+			"selfsubjectaccessreviews.authorization.k8s.io",
+			"selfsubjectrulesreviews.authorization.k8s.io",
+			"subjectaccessreviews.authorization.k8s.io",
+			"resourceaccessreviews.authorization.openshift.io",
+			"subjectaccessreviews.authorization.openshift.io":
+			return true
+		}
+	}
+	return false
+}

hack/gendiscoverycache/main.go

@@ -0,0 +1,92 @@
+package main
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+	"errors"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	configv1 "github.com/openshift/api/config/v1"
+	configclient "github.com/openshift/client-go/config/clientset/versioned"
+	"github.com/sirupsen/logrus"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+
+	utillog "github.com/Azure/ARO-RP/pkg/util/log"
+)
+
+const discoveryCacheDir = "pkg/util/dynamichelper/discovery/cache"
+
+func run(ctx context.Context, log *logrus.Entry) error {
+	kubeconfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
+		clientcmd.NewDefaultClientConfigLoadingRules(),
+		&clientcmd.ConfigOverrides{},
+	)
+
+	restconfig, err := kubeconfig.ClientConfig()
+	if err != nil {
+		return err
+	}
+
+	err = os.RemoveAll(discoveryCacheDir)
+	if err != nil {
+		return err
+	}
+
+	err = genDiscoveryCache(restconfig)
+	if err != nil {
+		return err
+	}
+
+	err = genRBAC(restconfig)
+	if err != nil {
+		return err
+	}
+
+	return writeVersion(ctx, restconfig)
+}
+
+func writeVersion(ctx context.Context, restconfig *rest.Config) error {
+	configcli, err := configclient.NewForConfig(restconfig)
+	if err != nil {
+		return err
+	}
+
+	clusterVersion, err := getClusterVersion(ctx, configcli)
+	if err != nil {
+		return err
+	}
+
+	versionPath := filepath.Join(discoveryCacheDir, "assets_version")
+	return ioutil.WriteFile(versionPath, []byte(clusterVersion+"\n"), 0666)
+}
+
+func getClusterVersion(ctx context.Context, configcli configclient.Interface) (string, error) {
+	cv, err := configcli.ConfigV1().ClusterVersions().Get(ctx, "version", metav1.GetOptions{})
+	if err != nil {
+		return "", err
+	}
+
+	for _, history := range cv.Status.History {
+		if history.State == configv1.CompletedUpdate {
+			return history.Version, nil
+		}
+	}
+
+	// Should never happen as a successfully created cluster
+	// should have at least one completed update.
+	return "", errors.New("could find actual cluster version")
+}
+
+func main() {
+	log := utillog.GetLogger()
+
+	if err := run(context.Background(), log); err != nil {
+		log.Fatal(err)
+	}
+}

pkg/operator/controllers/const.go

@@ -11,4 +11,5 @@ const (
 	CheckerControllerName       = "Checker"
 	RouteFixControllerName      = "RouteFix"
 	MonitoringControllerName    = "Monitoring"
+	RBACControllerName          = "RBAC"
 )

pkg/operator/controllers/rbac/generate.go

@@ -0,0 +1,7 @@
+package rbac
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+//go:generate go run ../../../../vendor/github.com/go-bindata/go-bindata/go-bindata -nometadata -pkg $GOPACKAGE -prefix staticresources staticresources/...
+//go:generate gofmt -s -l -w bindata.go

pkg/operator/controllers/rbac/rbac_controller.go

@@ -0,0 +1,97 @@
+package rbac
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+
+	"github.com/sirupsen/logrus"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+
+	arov1alpha1 "github.com/Azure/ARO-RP/pkg/operator/apis/aro.openshift.io/v1alpha1"
+	aroclient "github.com/Azure/ARO-RP/pkg/operator/clientset/versioned/typed/aro.openshift.io/v1alpha1"
+	"github.com/Azure/ARO-RP/pkg/operator/controllers"
+	"github.com/Azure/ARO-RP/pkg/util/dynamichelper"
+)
+
+type RBACReconciler struct {
+	log *logrus.Entry
+
+	arocli aroclient.AroV1alpha1Interface
+	dh     dynamichelper.Interface
+}
+
+func NewReconciler(log *logrus.Entry, arocli aroclient.AroV1alpha1Interface, dh dynamichelper.Interface) *RBACReconciler {
+	return &RBACReconciler{
+		log:    log,
+		arocli: arocli,
+		dh:     dh,
+	}
+}
+
+func (r *RBACReconciler) Reconcile(request ctrl.Request) (ctrl.Result, error) {
+	// TODO(mj): controller-runtime master fixes the need for this (https://github.com/kubernetes-sigs/controller-runtime/blob/master/pkg/reconcile/reconcile.go#L93) but it's not yet released.
+	ctx := context.Background()
+	if request.Name != arov1alpha1.SingletonClusterName {
+		return reconcile.Result{}, nil
+	}
+
+	instance, err := r.arocli.Clusters().Get(ctx, request.Name, metav1.GetOptions{})
+	if err != nil {
+		r.log.Error(err)
+		return reconcile.Result{}, err
+	}
+
+	var resources []runtime.Object
+	for _, assetName := range AssetNames() {
+		b, err := Asset(assetName)
+		if err != nil {
+			r.log.Error(err)
+			return reconcile.Result{}, err
+		}
+
+		resource, _, err := scheme.Codecs.UniversalDeserializer().Decode(b, nil, nil)
+		if err != nil {
+			r.log.Error(err)
+			return reconcile.Result{}, err
+		}
+
+		resources = append(resources, resource)
+	}
+
+	err = dynamichelper.SetControllerReferences(resources, instance)
+	if err != nil {
+		r.log.Error(err)
+		return reconcile.Result{}, err
+	}
+
+	uns, err := dynamichelper.Prepare(resources)
+	if err != nil {
+		r.log.Error(err)
+		return reconcile.Result{}, err
+	}
+
+	err = r.dh.Ensure(ctx, uns...)
+	if err != nil {
+		r.log.Error(err)
+		return reconcile.Result{}, err
+	}
+
+	return reconcile.Result{}, nil
+}
+
+// SetupWithManager setup our mananger
+func (r *RBACReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&arov1alpha1.Cluster{}).
+		Owns(&rbacv1.ClusterRole{}).
+		Owns(&rbacv1.ClusterRoleBinding{}).
+		Named(controllers.RBACControllerName).
+		Complete(r)
+}

pkg/operator/controllers/rbac/staticresources/clusterrole.yaml

@@ -0,0 +1,613 @@
+# Code generated by hack/gendiscoverycache; DO NOT EDIT.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: system:aro-sre
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - componentstatuses
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - endpoints
+  - events
+  - limitranges
+  - namespaces
+  - nodes
+  - persistentvolumeclaims
+  - persistentvolumes
+  - pods
+  - podtemplates
+  - replicationcontrollers
+  - resourcequotas
+  - serviceaccounts
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/log
+  verbs:
+  - get
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apiregistration.k8s.io
+  resources:
+  - apiservices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - controllerrevisions
+  - daemonsets
+  - deployments
+  - replicasets
+  - statefulsets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps.openshift.io
+  resources:
+  - deploymentconfigs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps.openshift.io
+  resources:
+  - deploymentconfigs/log
+  verbs:
+  - get
+- apiGroups:
+  - aro.openshift.io
+  resources:
+  - clusters
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - selfsubjectaccessreviews
+  - selfsubjectrulesreviews
+  - subjectaccessreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.openshift.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  - rolebindings
+  - roles
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - authorization.openshift.io
+  resources:
+  - resourceaccessreviews
+  - subjectaccessreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.openshift.io
+  resources:
+  - rolebindingrestrictions
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - autoscaling.openshift.io
+  resources:
+  - clusterautoscalers
+  - machineautoscalers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  - jobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - build.openshift.io
+  resources:
+  - buildconfigs
+  - builds
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - build.openshift.io
+  resources:
+  - builds/log
+  verbs:
+  - get
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cloudcredential.openshift.io
+  resources:
+  - credentialsrequests
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - apiservers
+  - authentications
+  - builds
+  - clusteroperators
+  - clusterversions
+  - consoles
+  - dnses
+  - featuregates
+  - images
+  - infrastructures
+  - ingresses
+  - networks
+  - oauths
+  - operatorhubs
+  - projects
+  - proxies
+  - schedulers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - console.openshift.io
+  resources:
+  - consoleclidownloads
+  - consoleexternalloglinks
+  - consolelinks
+  - consolenotifications
+  - consoleyamlsamples
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - events.k8s.io
+  resources:
+  - events
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - flowcontrol.apiserver.k8s.io
+  resources:
+  - flowschemas
+  - prioritylevelconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - image.openshift.io
+  resources:
+  - images
+  - imagestreams
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - image.openshift.io
+  resources:
+  - imagestreamimages
+  verbs:
+  - get
+- apiGroups:
+  - image.openshift.io
+  resources:
+  - imagestreamtags
+  - imagetags
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - imageregistry.operator.openshift.io
+  resources:
+  - configs
+  - imagepruners
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ingress.operator.openshift.io
+  resources:
+  - dnsrecords
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - k8s.cni.cncf.io
+  resources:
+  - network-attachment-definitions
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - machine.openshift.io
+  resources:
+  - machinehealthchecks
+  - machines
+  - machinesets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - machineconfiguration.openshift.io
+  resources:
+  - containerruntimeconfigs
+  - controllerconfigs
+  - kubeletconfigs
+  - machineconfigpools
+  - machineconfigs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - metal3.io
+  resources:
+  - baremetalhosts
+  - provisionings
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - metrics.k8s.io
+  resources:
+  - nodes
+  - pods
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - migration.k8s.io
+  resources:
+  - storagestates
+  - storageversionmigrations
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - alertmanagers
+  - podmonitors
+  - prometheuses
+  - prometheusrules
+  - servicemonitors
+  - thanosrulers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - network.openshift.io
+  resources:
+  - clusternetworks
+  - egressnetworkpolicies
+  - hostsubnets
+  - netnamespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - network.operator.openshift.io
+  resources:
+  - operatorpkis
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  - ingresses
+  - networkpolicies
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - node.k8s.io
+  resources:
+  - runtimeclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - operator.openshift.io
+  resources:
+  - authentications
+  - cloudcredentials
+  - configs
+  - consoles
+  - csisnapshotcontrollers
+  - dnses
+  - etcds
+  - imagecontentsourcepolicies
+  - ingresscontrollers
+  - kubeapiservers
+  - kubecontrollermanagers
+  - kubeschedulers
+  - kubestorageversionmigrators
+  - networks
+  - openshiftapiservers
+  - openshiftcontrollermanagers
+  - servicecas
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - operators.coreos.com
+  resources:
+  - catalogsources
+  - clusterserviceversions
+  - installplans
+  - operatorgroups
+  - operatorsources
+  - subscriptions
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - packages.operators.coreos.com
+  resources:
+  - packagemanifests
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  - podsecuritypolicies
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - project.openshift.io
+  resources:
+  - projectrequests
+  verbs:
+  - list
+- apiGroups:
+  - project.openshift.io
+  resources:
+  - projects
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - quota.openshift.io
+  resources:
+  - appliedclusterresourcequotas
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - quota.openshift.io
+  resources:
+  - clusterresourcequotas
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  - rolebindings
+  - roles
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - samples.operator.openshift.io
+  resources:
+  - configs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - scheduling.k8s.io
+  resources:
+  - priorityclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - rangeallocations
+  - securitycontextconstraints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotclasses
+  - volumesnapshotcontents
+  - volumesnapshots
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csidrivers
+  - csinodes
+  - storageclasses
+  - volumeattachments
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - template.openshift.io
+  resources:
+  - brokertemplateinstances
+  - templateinstances
+  - templates
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - tuned.openshift.io
+  resources:
+  - profiles
+  - tuneds
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - user.openshift.io
+  resources:
+  - groups
+  - identities
+  - users
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - user.openshift.io
+  resources:
+  - useridentitymappings
+  verbs:
+  - get
+- apiGroups:
+  - whereabouts.cni.cncf.io
+  resources:
+  - ippools
+  verbs:
+  - get
+  - list
+  - watch
+- nonResourceURLs:
+  - '*'
+  verbs:
+  - get

pkg/operator/controllers/rbac/staticresources/clusterrolebinding.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:aro-sre
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:aro-sre
+subjects:
+- kind: User
+  name: system:aro-sre

pkg/util/dynamichelper/discovery/cache_fallback_discovery_client_test.go

@@ -21,13 +21,8 @@ import (
 	"github.com/Azure/ARO-RP/test/util/cmp"
 )
 
-// TestVersion makes sure that bindata contains cache generated
-// with the supported OpenShift version.
-// To update discovery cache:
-//   1. Create a new cluster
-//	 2. Run `oc login` against this cluster or set KUBECONFIG env variable
-//   3. Run `go run ./hack/gendiscoverycache/gendiscoverycache.go`
-//   4. Run `make generate`
+// TestVersion makes sure that bindata contains cache generated with the
+// supported OpenShift version.
 func TestVersion(t *testing.T) {
 	b, err := Asset("assets_version")
 	if err != nil {
@@ -36,7 +31,7 @@ func TestVersion(t *testing.T) {
 
 	assetsVersion := strings.TrimSuffix(string(b), "\n")
 	if assetsVersion != version.InstallStream.Version.String() {
-		t.Error(assetsVersion)
+		t.Error("discovery cache is out of date: run make discoverycache")
 	}
 }