diff --git a/internal/noderesource/noderesource.go b/internal/noderesource/noderesource.go index 3677d5f..777953d 100644 --- a/internal/noderesource/noderesource.go +++ b/internal/noderesource/noderesource.go @@ -1013,10 +1013,10 @@ func proxyReadinessProbe() *corev1.Probe { // GenerateRBACProxyConfigMap produces the ConfigMap carrying the // kube-rbac-proxy authorization config — a single coarse SAR scoped -// to (group=sei.io, resource=seinodetasks, namespace=, name=). -// Verb is derived from HTTP method by the proxy. Bypass paths live on -// the proxy's --ignore-paths CLI flag, not this file (config-file -// allowedPaths gates at the authz layer and still requires authn). +// to (apiGroup=sei.io, resource=seinodetasks, namespace=, name=). +// Verb is derived from HTTP method by the proxy. The field name is +// `apiGroup`, matching kube-rbac-proxy's authz.ResourceAttributes +// struct (pkg/authz/auth.go). // // `name` scopes the SAR to the specific SeiNode so operators can bind // ClusterRoles with resourceNames to narrow access per-validator; @@ -1025,7 +1025,7 @@ func GenerateRBACProxyConfigMap(node *seiv1alpha1.SeiNode) *corev1.ConfigMap { config := strings.Join([]string{ "authorization:", " resourceAttributes:", - " group: sei.io", + " apiGroup: sei.io", " resource: seinodetasks", " namespace: " + node.Namespace, " name: " + node.Name, diff --git a/internal/noderesource/sidecar_proxy_test.go b/internal/noderesource/sidecar_proxy_test.go index ae183bc..01f2abd 100644 --- a/internal/noderesource/sidecar_proxy_test.go +++ b/internal/noderesource/sidecar_proxy_test.go @@ -85,12 +85,12 @@ func TestServicePorts_AlwaysIncludesAPIPort(t *testing.T) { g.Expect(found).To(BeTrue(), "headless Service must publish the proxy API port") } -func TestGenerateRBACProxyConfigMap_UsesGroupNotApiGroup(t *testing.T) { +func TestGenerateRBACProxyConfigMap_UsesApiGroup(t *testing.T) { g := NewWithT(t) cm := GenerateRBACProxyConfigMap(newGenesisNode("a", "default")) g.Expect(cm).NotTo(BeNil()) - g.Expect(cm.Data["config.yaml"]).To(ContainSubstring("group: sei.io"), - "resourceAttributes uses 'group', not 'apiGroup' — kube-rbac-proxy unmarshals SAR ResourceAttributes, the field name is group") + g.Expect(cm.Data["config.yaml"]).To(ContainSubstring("apiGroup: sei.io"), + "field name must match kube-rbac-proxy's authz.ResourceAttributes struct (apiGroup, not group)") } func TestGenerateStatefulSet_ProxyImageMissing_Errors(t *testing.T) {