From 169a20169ac5bab3a74f6a1bfe60916186dac4df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radek=20Ma=C5=88=C3=A1k?= Date: Wed, 12 Nov 2025 17:44:01 +0100 Subject: [PATCH 1/2] Add ClusterRole to ClusterOperator relatedObjects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This adds the cloud-controller-manager ClusterRole to the ClusterOperator's relatedObjects to ensure it's collected by oc adm inspect and must-gather for debugging purposes. The name field is set to the specific ClusterRole name since the operator manages a single ClusterRole resource. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- ...6_cloud-controller-manager-operator_12_clusteroperator.yaml | 3 +++ pkg/controllers/status.go | 1 + 2 files changed, 4 insertions(+) diff --git a/manifests/0000_26_cloud-controller-manager-operator_12_clusteroperator.yaml b/manifests/0000_26_cloud-controller-manager-operator_12_clusteroperator.yaml index 18ca4d325..b2c7112ce 100644 --- a/manifests/0000_26_cloud-controller-manager-operator_12_clusteroperator.yaml +++ b/manifests/0000_26_cloud-controller-manager-operator_12_clusteroperator.yaml @@ -22,3 +22,6 @@ status: - group: "" name: openshift-cloud-controller-manager-operator resource: namespaces + - group: rbac.authorization.k8s.io + name: cloud-controller-manager + resource: clusterroles diff --git a/pkg/controllers/status.go b/pkg/controllers/status.go index 46dfbc1d5..73e3c9cdf 100644 --- a/pkg/controllers/status.go +++ b/pkg/controllers/status.go @@ -207,6 +207,7 @@ func (r *ClusterOperatorStatusClient) relatedObjects() []configv1.ObjectReferenc {Resource: "namespaces", Name: defaultManagementNamespace}, {Group: configv1.GroupName, Resource: "clusteroperators", Name: clusterOperatorName}, {Resource: "namespaces", Name: r.ManagedNamespace}, + {Group: "rbac.authorization.k8s.io", Resource: "clusterroles", Name: clusterOperatorName}, } } From f4181436df8fa466e0b798c45c1f824526668d95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radek=20Ma=C5=88=C3=A1k?= Date: Wed, 6 May 2026 15:28:36 +0200 Subject: [PATCH 2/2] Expand ClusterOperator relatedObjects to all managed resources Add configmaps, services, deployments, networkpolicies, serviceaccounts, roles, rolebindings, clusterrolebindings, and credentialsrequests to the relatedObjects list so that oc adm inspect and must-gather collect the full set of resources managed by the operator. Also fixes the namespace ordering to list the operator namespace before the managed namespace. --- ...r-manager-operator_12_clusteroperator.yaml | 141 +++++++++++++++++- pkg/controllers/status.go | 41 ++++- 2 files changed, 177 insertions(+), 5 deletions(-) diff --git a/manifests/0000_26_cloud-controller-manager-operator_12_clusteroperator.yaml b/manifests/0000_26_cloud-controller-manager-operator_12_clusteroperator.yaml index b2c7112ce..40dac0017 100644 --- a/manifests/0000_26_cloud-controller-manager-operator_12_clusteroperator.yaml +++ b/manifests/0000_26_cloud-controller-manager-operator_12_clusteroperator.yaml @@ -17,11 +17,148 @@ status: name: cloud-controller-manager resource: clusteroperators - group: "" - name: openshift-cloud-controller-manager + name: openshift-cloud-controller-manager-operator resource: namespaces - group: "" - name: openshift-cloud-controller-manager-operator + name: openshift-cloud-controller-manager resource: namespaces + - group: "" + name: cloud-controller-manager-images + namespace: openshift-cloud-controller-manager-operator + resource: configmaps + - group: "" + name: kube-rbac-proxy + namespace: openshift-cloud-controller-manager-operator + resource: configmaps + - group: "" + name: cloud-controller-manager-operator + namespace: openshift-cloud-controller-manager-operator + resource: services + - group: apps + name: cluster-cloud-controller-manager-operator + namespace: openshift-cloud-controller-manager-operator + resource: deployments + - group: networking.k8s.io + name: default-deny + namespace: openshift-cloud-controller-manager-operator + resource: networkpolicies + - group: networking.k8s.io + name: "" + namespace: openshift-cloud-controller-manager + resource: networkpolicies + - group: "" + name: cluster-cloud-controller-manager + namespace: openshift-cloud-controller-manager-operator + resource: serviceaccounts + - group: "" + name: "" + namespace: openshift-cloud-controller-manager + resource: serviceaccounts + - group: "" + name: cloud-controller-manager + namespace: kube-system + resource: serviceaccounts + - group: rbac.authorization.k8s.io + name: cluster-cloud-controller-manager + namespace: openshift-cloud-controller-manager-operator + resource: roles + - group: rbac.authorization.k8s.io + name: cluster-cloud-controller-manager + namespace: openshift-config + resource: roles + - group: rbac.authorization.k8s.io + name: cluster-cloud-controller-manager + namespace: openshift-config-managed + resource: roles + - group: rbac.authorization.k8s.io + name: cluster-cloud-controller-manager + namespace: kube-system + resource: roles + - group: rbac.authorization.k8s.io + name: "" + namespace: openshift-cloud-controller-manager + resource: roles + - group: rbac.authorization.k8s.io + name: cloud-controller-manager + namespace: kube-system + resource: roles + - group: rbac.authorization.k8s.io + name: cluster-cloud-controller-manager + namespace: openshift-cloud-controller-manager-operator + resource: rolebindings + - group: rbac.authorization.k8s.io + name: "" + namespace: openshift-cloud-controller-manager + resource: rolebindings + - group: rbac.authorization.k8s.io + name: cluster-cloud-controller-manager + namespace: openshift-config + resource: rolebindings + - group: rbac.authorization.k8s.io + name: cluster-cloud-controller-manager + namespace: openshift-config-managed + resource: rolebindings + - group: rbac.authorization.k8s.io + name: cluster-cloud-controller-manager + namespace: kube-system + resource: rolebindings + - group: rbac.authorization.k8s.io + name: cloud-controller-manager + namespace: kube-system + resource: rolebindings + - group: rbac.authorization.k8s.io + name: cloud-controller-manager:apiserver-authentication-reader + namespace: kube-system + resource: rolebindings + - group: rbac.authorization.k8s.io + name: system:openshift:operator:cloud-controller-manager + resource: clusterroles - group: rbac.authorization.k8s.io name: cloud-controller-manager resource: clusterroles + - group: rbac.authorization.k8s.io + name: cloud-node-manager + resource: clusterroles + - group: rbac.authorization.k8s.io + name: openstack-cloud-controller-manager + resource: clusterroles + - group: rbac.authorization.k8s.io + name: system:openshift:operator:cloud-controller-manager + resource: clusterrolebindings + - group: rbac.authorization.k8s.io + name: cloud-controller-manager + resource: clusterrolebindings + - group: rbac.authorization.k8s.io + name: cloud-node-manager + resource: clusterrolebindings + - group: rbac.authorization.k8s.io + name: openstack-cloud-controller-manager + resource: clusterrolebindings + - group: cloudcredential.openshift.io + name: openshift-azure-cloud-controller-manager + namespace: openshift-cloud-credential-operator + resource: credentialsrequests + - group: cloudcredential.openshift.io + name: openshift-gcp-ccm + namespace: openshift-cloud-credential-operator + resource: credentialsrequests + - group: cloudcredential.openshift.io + name: openshift-ibm-cloud-controller-manager + namespace: openshift-cloud-credential-operator + resource: credentialsrequests + - group: cloudcredential.openshift.io + name: openshift-nutanix-cloud-controller-manager + namespace: openshift-cloud-credential-operator + resource: credentialsrequests + - group: cloudcredential.openshift.io + name: openshift-openstack-cloud-controller-manager + namespace: openshift-cloud-credential-operator + resource: credentialsrequests + - group: cloudcredential.openshift.io + name: openshift-powervs-cloud-controller-manager + namespace: openshift-cloud-credential-operator + resource: credentialsrequests + - group: cloudcredential.openshift.io + name: openshift-vsphere-cloud-controller-manager + namespace: openshift-cloud-credential-operator + resource: credentialsrequests diff --git a/pkg/controllers/status.go b/pkg/controllers/status.go index 73e3c9cdf..fcb5c61b2 100644 --- a/pkg/controllers/status.go +++ b/pkg/controllers/status.go @@ -202,12 +202,47 @@ func (r *ClusterOperatorStatusClient) getOrCreateClusterOperator(ctx context.Con } func (r *ClusterOperatorStatusClient) relatedObjects() []configv1.ObjectReference { - // TBD: Add an actual set of object references from getResources method return []configv1.ObjectReference{ - {Resource: "namespaces", Name: defaultManagementNamespace}, {Group: configv1.GroupName, Resource: "clusteroperators", Name: clusterOperatorName}, - {Resource: "namespaces", Name: r.ManagedNamespace}, + {Group: "", Resource: "namespaces", Name: defaultManagementNamespace}, + {Group: "", Resource: "namespaces", Name: r.ManagedNamespace}, + {Group: "", Resource: "configmaps", Name: "cloud-controller-manager-images", Namespace: defaultManagementNamespace}, + {Group: "", Resource: "configmaps", Name: "kube-rbac-proxy", Namespace: defaultManagementNamespace}, + {Group: "", Resource: "services", Name: "cloud-controller-manager-operator", Namespace: defaultManagementNamespace}, + {Group: "apps", Resource: "deployments", Name: "cluster-cloud-controller-manager-operator", Namespace: defaultManagementNamespace}, + {Group: "networking.k8s.io", Resource: "networkpolicies", Name: "default-deny", Namespace: defaultManagementNamespace}, + {Group: "networking.k8s.io", Resource: "networkpolicies", Name: "", Namespace: r.ManagedNamespace}, + {Group: "", Resource: "serviceaccounts", Name: "cluster-cloud-controller-manager", Namespace: defaultManagementNamespace}, + {Group: "", Resource: "serviceaccounts", Name: "", Namespace: r.ManagedNamespace}, + {Group: "", Resource: "serviceaccounts", Name: "cloud-controller-manager", Namespace: "kube-system"}, + {Group: "rbac.authorization.k8s.io", Resource: "roles", Name: "cluster-cloud-controller-manager", Namespace: defaultManagementNamespace}, + {Group: "rbac.authorization.k8s.io", Resource: "roles", Name: "cluster-cloud-controller-manager", Namespace: "openshift-config"}, + {Group: "rbac.authorization.k8s.io", Resource: "roles", Name: "cluster-cloud-controller-manager", Namespace: "openshift-config-managed"}, + {Group: "rbac.authorization.k8s.io", Resource: "roles", Name: "cluster-cloud-controller-manager", Namespace: "kube-system"}, + {Group: "rbac.authorization.k8s.io", Resource: "roles", Name: "", Namespace: r.ManagedNamespace}, + {Group: "rbac.authorization.k8s.io", Resource: "roles", Name: "cloud-controller-manager", Namespace: "kube-system"}, + {Group: "rbac.authorization.k8s.io", Resource: "rolebindings", Name: "cluster-cloud-controller-manager", Namespace: defaultManagementNamespace}, + {Group: "rbac.authorization.k8s.io", Resource: "rolebindings", Name: "", Namespace: r.ManagedNamespace}, + {Group: "rbac.authorization.k8s.io", Resource: "rolebindings", Name: "cluster-cloud-controller-manager", Namespace: "openshift-config"}, + {Group: "rbac.authorization.k8s.io", Resource: "rolebindings", Name: "cluster-cloud-controller-manager", Namespace: "openshift-config-managed"}, + {Group: "rbac.authorization.k8s.io", Resource: "rolebindings", Name: "cluster-cloud-controller-manager", Namespace: "kube-system"}, + {Group: "rbac.authorization.k8s.io", Resource: "rolebindings", Name: "cloud-controller-manager", Namespace: "kube-system"}, + {Group: "rbac.authorization.k8s.io", Resource: "rolebindings", Name: "cloud-controller-manager:apiserver-authentication-reader", Namespace: "kube-system"}, + {Group: "rbac.authorization.k8s.io", Resource: "clusterroles", Name: "system:openshift:operator:" + clusterOperatorName}, {Group: "rbac.authorization.k8s.io", Resource: "clusterroles", Name: clusterOperatorName}, + {Group: "rbac.authorization.k8s.io", Resource: "clusterroles", Name: "cloud-node-manager"}, + {Group: "rbac.authorization.k8s.io", Resource: "clusterroles", Name: "openstack-cloud-controller-manager"}, + {Group: "rbac.authorization.k8s.io", Resource: "clusterrolebindings", Name: "system:openshift:operator:" + clusterOperatorName}, + {Group: "rbac.authorization.k8s.io", Resource: "clusterrolebindings", Name: clusterOperatorName}, + {Group: "rbac.authorization.k8s.io", Resource: "clusterrolebindings", Name: "cloud-node-manager"}, + {Group: "rbac.authorization.k8s.io", Resource: "clusterrolebindings", Name: "openstack-cloud-controller-manager"}, + {Group: "cloudcredential.openshift.io", Resource: "credentialsrequests", Name: "openshift-azure-cloud-controller-manager", Namespace: "openshift-cloud-credential-operator"}, + {Group: "cloudcredential.openshift.io", Resource: "credentialsrequests", Name: "openshift-gcp-ccm", Namespace: "openshift-cloud-credential-operator"}, + {Group: "cloudcredential.openshift.io", Resource: "credentialsrequests", Name: "openshift-ibm-cloud-controller-manager", Namespace: "openshift-cloud-credential-operator"}, + {Group: "cloudcredential.openshift.io", Resource: "credentialsrequests", Name: "openshift-nutanix-cloud-controller-manager", Namespace: "openshift-cloud-credential-operator"}, + {Group: "cloudcredential.openshift.io", Resource: "credentialsrequests", Name: "openshift-openstack-cloud-controller-manager", Namespace: "openshift-cloud-credential-operator"}, + {Group: "cloudcredential.openshift.io", Resource: "credentialsrequests", Name: "openshift-powervs-cloud-controller-manager", Namespace: "openshift-cloud-credential-operator"}, + {Group: "cloudcredential.openshift.io", Resource: "credentialsrequests", Name: "openshift-vsphere-cloud-controller-manager", Namespace: "openshift-cloud-credential-operator"}, } }