From 5649e75706cf25130bca802313457647fe068b71 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 18 Nov 2025 03:53:57 +0000 Subject: [PATCH] fix(api): correct API group and add RBAC for cluster node access Fix two issues preventing the API from accessing cluster nodes: 1. API group mismatch in k8s client - changed from stream.streamspace.io to stream.space to match CRD definitions 2. Missing RBAC configuration for API backend - added ServiceAccount, ClusterRole with node permissions, and Role for namespace-scoped resources The static manifests were missing RBAC for the API service account, which needs cluster-wide access to nodes since they are cluster-scoped resources. --- api/internal/k8s/client.go | 4 +- manifests/config/rbac.yaml | 111 +++++++++++++++++++++++++++++++++++++ 2 files changed, 113 insertions(+), 2 deletions(-) diff --git a/api/internal/k8s/client.go b/api/internal/k8s/client.go index 07c7c446..2aed95c2 100644 --- a/api/internal/k8s/client.go +++ b/api/internal/k8s/client.go @@ -189,13 +189,13 @@ type Client struct { var ( sessionGVR = schema.GroupVersionResource{ - Group: "stream.streamspace.io", + Group: "stream.space", Version: "v1alpha1", Resource: "sessions", } templateGVR = schema.GroupVersionResource{ - Group: "stream.streamspace.io", + Group: "stream.space", Version: "v1alpha1", Resource: "templates", } diff --git a/manifests/config/rbac.yaml b/manifests/config/rbac.yaml index a6348a37..b09916b5 100644 --- a/manifests/config/rbac.yaml +++ b/manifests/config/rbac.yaml @@ -118,3 +118,114 @@ roleRef: kind: ClusterRole name: streamspace-controller-crd-reader apiGroup: rbac.authorization.k8s.io + +--- +# ServiceAccount for StreamSpace API backend +apiVersion: v1 +kind: ServiceAccount +metadata: + name: streamspace-api + namespace: streamspace + labels: + app: streamspace + component: api +automountServiceAccountToken: true + +--- +# ClusterRole for API backend (needs cluster-wide node access) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: streamspace-api +rules: + # Read CRD definitions + - apiGroups: [apiextensions.k8s.io] + resources: [customresourcedefinitions] + verbs: [get, list, watch] + + # Cluster-wide node access (nodes are cluster-scoped resources) + - apiGroups: [""] + resources: [nodes] + verbs: [get, list, watch, update, patch] + + # Manage Sessions and Templates (cluster-wide for multi-namespace support) + - apiGroups: [stream.space] + resources: [sessions, templates] + verbs: [get, list, watch, create, update, patch, delete] + - apiGroups: [stream.space] + resources: [sessions/status, templates/status] + verbs: [get, update, patch] + +--- +# Role for API backend namespace-scoped resources +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: streamspace-api + namespace: streamspace +rules: + # Manage session pods + - apiGroups: [""] + resources: [pods] + verbs: [get, list, watch, create, update, patch, delete] + + # Manage session services and PVCs + - apiGroups: [""] + resources: [services, persistentvolumeclaims] + verbs: [get, list, watch, create, update, patch, delete] + + # Manage session deployments + - apiGroups: [apps] + resources: [deployments] + verbs: [get, list, watch, create, update, patch, delete] + + # Access to configmaps and secrets + - apiGroups: [""] + resources: [configmaps, secrets] + verbs: [get, list, watch] + + # Create events for logging + - apiGroups: [""] + resources: [events] + verbs: [create, patch] + + # Manage ingress for session access + - apiGroups: [networking.k8s.io] + resources: [ingresses] + verbs: [get, list, watch, create, update, patch, delete] + + # Read pod logs for debugging + - apiGroups: [""] + resources: [pods/log] + verbs: [get, list] + +--- +# ClusterRoleBinding for API backend cluster-wide permissions +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: streamspace-api +subjects: + - kind: ServiceAccount + name: streamspace-api + namespace: streamspace +roleRef: + kind: ClusterRole + name: streamspace-api + apiGroup: rbac.authorization.k8s.io + +--- +# RoleBinding for API backend namespace-scoped permissions +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: streamspace-api + namespace: streamspace +subjects: + - kind: ServiceAccount + name: streamspace-api + namespace: streamspace +roleRef: + kind: Role + name: streamspace-api + apiGroup: rbac.authorization.k8s.io