improve yurt-manager rbac (#2077)

cmd/yurt-manager/app/client/client.go

@@ -120,9 +120,10 @@ func GetClientByControllerNameOrDie(mgr manager.Manager, controllerName string)
 	clientOptions := client.Options{
 		Scheme: mgr.GetScheme(),
 		Mapper: mgr.GetRESTMapper(),
-		// todo: this is just a default option, we should use mgr's cache options
+		// controller client should get/list unstructured resource from cache instead of kube-apiserver,
+		// because only base client has the right privilege to list/watch unstructured resources.
 		Cache: &client.CacheOptions{
-			Unstructured: false,
+			Unstructured: true,
 			Reader:       mgr.GetCache(),
 		},
 	}

hack/lib/complement-rbac.sh

@@ -75,6 +75,7 @@ subjects:
   namespace: $namespace
 "
             } >> "$tmp_file"
+            echo "Complement ${binding_kind} for ${name}"
             # Reset variables for the next object
             kind=""
             name=""
@@ -92,6 +93,8 @@ metadata:
   namespace: $namespace
 "
         } >> "$tmp_file"
+
+        echo "Complement ServiceAccount for $sa_name"
     done
     # Close file descriptor 3
     exec 3<&-

hack/make-rules/generate_manifests.sh

@@ -58,19 +58,20 @@ for dir in "$WEBHOOK_DIR"/*/; do
     found_file=$(grep -lR -e "$PATTERN" "$dir" | head -n 1)
 
     if [ ! -z "$found_file" ]; then
-        echo "Generate RBAC for $dir"
+        echo "Generate RBAC for webhook $dir"
         # If a matching file is found, extract directory base name
         role_name=$(basename "${dir}")
         $CONTROLLER_GEN rbac:roleName="${role_name}" paths=${dir}/... output:rbac:artifacts:config=${OUTPUT_DIR}/rbac && mv ${OUTPUT_DIR}/rbac/role.yaml ${OUTPUT_DIR}/rbac/${role_name}.yaml
     fi
 done
 
 # Loop through ${OUTPUT_DIR}/rbac and generate RoleBinding/ClusterRoleBinding/ServiceAccount
+echo "Complement RoleBinding/ClusterRoleBinding/ServiceAccount"
 for file in ${OUTPUT_DIR}/rbac/*.yaml; do
     complement_rbac "$file"
 done
 
-$CONTROLLER_GEN rbac:roleName=basecontroller paths=$YURT_ROOT/pkg/yurtmanager/controller/... output:rbac:artifacts:config=${OUTPUT_DIR}/rbac && mv ${OUTPUT_DIR}/rbac/role.yaml ${OUTPUT_DIR}/rbac/basecontroller.yaml
+$CONTROLLER_GEN rbac:roleName=basecontroller paths=$YURT_ROOT/pkg/yurtmanager/controller/base/... output:rbac:artifacts:config=${OUTPUT_DIR}/rbac && mv ${OUTPUT_DIR}/rbac/role.yaml ${OUTPUT_DIR}/rbac/basecontroller.yaml
 $CONTROLLER_GEN rbac:roleName=webhook paths=$YURT_ROOT/pkg/yurtmanager/webhook/... output:rbac:artifacts:config=${OUTPUT_DIR}/rbac && mv ${OUTPUT_DIR}/rbac/role.yaml ${OUTPUT_DIR}/rbac/webhook.yaml
 echo "Generate RBAC for base controller/webhook"
 

pkg/yurtmanager/controller/base/controller.go

@@ -111,6 +111,30 @@ func NewControllerInitializers() map[string]InitFunc {
 // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;create
 // +kubebuilder:rbac:groups=core,resources=serviceaccounts/token,verbs=create
 // +kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
+// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=list;watch
+// +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=list;watch
+// +kubebuilder:rbac:groups=core,resources=pods,verbs=list;watch
+// +kubebuilder:rbac:groups=core,resources=nodes,verbs=list;watch
+// +kubebuilder:rbac:groups=core,resources=services,verbs=list;watch
+// +kubebuilder:rbac:groups=network.openyurt.io,resources=poolservices,verbs=list;watch
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools,verbs=list;watch
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodebuckets,verbs=list;watch
+// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=list;watch
+// +kubebuilder:rbac:groups=iot.openyurt.io,resources=platformadmins,verbs=list;watch
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappsets,verbs=list;watch
+// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=list;watch
+// +kubebuilder:rbac:groups=core,resources=endpoints,verbs=list;watch
+// +kubebuilder:rbac:groups=discovery.k8s.io,resources=endpointslices,verbs=list;watch
+// +kubebuilder:rbac:groups=raven.openyurt.io,resources=gateways,verbs=list;watch
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappdaemons,verbs=list;watch
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=list;watch
+// +kubebuilder:rbac:groups=apps,resources=controllerrevisions,verbs=list;watch
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappoverriders,verbs=list;watch
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappsets,verbs=list;watch
+// +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=list;watch
+// +kubebuilder:rbac:groups="",resources=secrets,verbs=list;watch
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtstaticsets,verbs=list;watch
+// +kubebuilder:rbac:groups=crd.projectcalico.org,resources=blockaffinities,verbs=list;watch
 
 func SetupWithManager(ctx context.Context, c *config.CompletedConfig, m manager.Manager) error {
 	for controllerName, fn := range NewControllerInitializers() {

pkg/yurtmanager/controller/csrapprover/csr_approver_controller.go

@@ -139,7 +139,7 @@ func NewReconcileCsrApprover(mgr manager.Manager) (*ReconcileCsrApprover, error)
 	return r, nil
 }
 
-// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=get;list;watch
+// +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests,verbs=get
 // +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests/approval,verbs=update
 // +kubebuilder:rbac:groups=certificates.k8s.io,resourceNames=kubernetes.io/kube-apiserver-client;kubernetes.io/kubelet-serving,resources=signers,verbs=approve
 

pkg/yurtmanager/controller/daemonpodupdater/daemon_pod_updater_controller.go

@@ -196,9 +196,9 @@ func daemonsetUpdate(evt event.UpdateEvent) bool {
 	return true
 }
 
-// +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;update
-// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;update;patch
+// +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;update
+// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;update;patch
 
 // Reconcile reads that state of the cluster for a DaemonSet object and makes changes based on the state read
 // and what is in the DaemonSet.Spec

pkg/yurtmanager/controller/loadbalancerset/loadbalancerset/load_balancer_set_controller.go

@@ -132,11 +132,10 @@ func add(mgr manager.Manager, cfg *appconfig.CompletedConfig, r reconcile.Reconc
 	return nil
 }
 
-// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;update
+// +kubebuilder:rbac:groups=core,resources=services,verbs=get;update
 // +kubebuilder:rbac:groups=core,resources=services/status,verbs=update
-// +kubebuilder:rbac:groups=network.openyurt.io,resources=poolservices,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=network.openyurt.io,resources=poolservices,verbs=get;create;update;patch;delete
 // +kubebuilder:rbac:groups=network.openyurt.io,resources=poolservices/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools,verbs=list;watch
 
 // Reconcile reads that state of the cluster for a PoolService object and makes changes based on the state read
 // and what is in the PoolService.Spec

pkg/yurtmanager/controller/nodebucket/node_bucket_controller.go

@@ -162,9 +162,8 @@ type ReconcileNodeBucket struct {
 	maxNodesPerBucket int
 }
 
-// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodebuckets,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools,verbs=get;list;watch
-// +kubebuilder:rbac:groups=core,resources=nodes,verbs=list;watch
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodebuckets,verbs=get;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools,verbs=get
 
 // Reconcile reads that state of the cluster for a NodeBucket object and makes changes based on the state read
 // and what is in the NodeBucket.Spec

pkg/yurtmanager/controller/nodelifecycle/node_life_cycle_controller.go

@@ -288,10 +288,10 @@ type ReconcileNodeLifeCycle struct {
 }
 
 // +kubebuilder:rbac:groups=core,resources=nodes/status,verbs=update
-// +kubebuilder:rbac:groups=core,resources=nodes,verbs=list;get;watch
+// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get
 // +kubebuilder:rbac:groups=core,resources=pods/status,verbs=update
-// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;watch;list;delete
-// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;watch
+// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;delete
+// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get
 
 // Add creates a new CsrApprover Controller and adds it to the Manager with default RBAC. The Manager will set fields on the Controller
 // and Start it when the Manager is Started.

pkg/yurtmanager/controller/nodepool/nodepool_controller.go

@@ -105,9 +105,9 @@ type NodePoolRelatedAttributes struct {
 	Taints      []corev1.Taint    `json:"taints,omitempty"`
 }
 
-// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools,verbs=get;list;watch;update;patch
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools,verbs=get;update;patch
 // +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;update;patch
+// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;update;patch
 
 // Reconcile reads that state of the cluster for a NodePool object and makes changes based on the state read
 // and what is in the NodePool.Spec

pkg/yurtmanager/controller/platformadmin/platform_admin_controller.go

@@ -178,13 +178,13 @@ func add(mgr manager.Manager, cfg *appconfig.CompletedConfig, r reconcile.Reconc
 	return nil
 }
 
-// +kubebuilder:rbac:groups=iot.openyurt.io,resources=platformadmins,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=iot.openyurt.io,resources=platformadmins,verbs=get;create;update;patch;delete
 // +kubebuilder:rbac:groups=iot.openyurt.io,resources=platformadmins/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=iot.openyurt.io,resources=platformadmins/finalizers,verbs=update
-// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappsets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappsets,verbs=get;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappsets/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=services,verbs=get;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=configmaps/status,verbs=get;update;patch;watch
 // +kubebuilder:rbac:groups=core,resources=services/status,verbs=get;update;patch
 

pkg/yurtmanager/controller/raven/dns/gateway_dns_controller.go

@@ -107,10 +107,10 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 	return nil
 }
 
-// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch
-// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch
-// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;watch;create;update;delete
-// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools,verbs=get;list;watch
+// +kubebuilder:rbac:groups=core,resources=services,verbs=get
+// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get
+// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;create;update;delete
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools,verbs=get
 
 func (r *ReconcileDns) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error) {
 	klog.V(4).Info(Format("Reconcile DNS configMap for gateway %s", req.Name))

pkg/yurtmanager/controller/raven/gatewayinternalservice/gateway_internal_service_controller.go

@@ -122,10 +122,10 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 	return nil
 }
 
-// +kubebuilder:rbac:groups=core,resources=services,verbs=get;watch;create;update;delete
-// +kubebuilder:rbac:groups=core,resources=endpoints,verbs=get;watch;create;update;delete
-// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;watch;list
-// +kubebuilder:rbac:groups=raven.openyurt.io,resources=gateways,verbs=get;list;watch
+// +kubebuilder:rbac:groups=core,resources=services,verbs=get;create;update;delete
+// +kubebuilder:rbac:groups=core,resources=endpoints,verbs=get;create;update;delete
+// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get
+// +kubebuilder:rbac:groups=raven.openyurt.io,resources=gateways,verbs=get
 
 // Reconcile reads that state of the cluster for a Gateway object and makes changes based on the state read
 // and what is in the Gateway.Spec

pkg/yurtmanager/controller/raven/gatewaypickup/gateway_pickup_controller.go

@@ -138,12 +138,12 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 	return nil
 }
 
-//+kubebuilder:rbac:groups=raven.openyurt.io,resources=gateways,verbs=get;list;watch;create;delete;update
+//+kubebuilder:rbac:groups=raven.openyurt.io,resources=gateways,verbs=get;create;delete;update
 //+kubebuilder:rbac:groups=raven.openyurt.io,resources=gateways/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=raven.openyurt.io,resources=gateways/finalizers,verbs=update
-//+kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch
-//+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch
-//+kubebuilder:rbac:groups=crd.projectcalico.org,resources=blockaffinities,verbs=get;list;watch
+//+kubebuilder:rbac:groups=core,resources=nodes,verbs=get
+//+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get
+//+kubebuilder:rbac:groups=crd.projectcalico.org,resources=blockaffinities,verbs=get
 
 // Reconcile reads that state of the cluster for a Gateway object and makes changes based on the state read
 // and what is in the Gateway.Spec

pkg/yurtmanager/controller/raven/gatewaypublicservice/gateway_public_service_controller.go

@@ -133,10 +133,10 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 	return nil
 }
 
-// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;delete
-// +kubebuilder:rbac:groups=core,resources=endpoints,verbs=get;list;watch;create;update;delete
-// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch
-// +kubebuilder:rbac:groups=raven.openyurt.io,resources=gateways,verbs=get;list;watch
+// +kubebuilder:rbac:groups=core,resources=services,verbs=get;create;update;delete
+// +kubebuilder:rbac:groups=core,resources=endpoints,verbs=get;create;update;delete
+// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get
+// +kubebuilder:rbac:groups=raven.openyurt.io,resources=gateways,verbs=get
 
 // Reconcile reads that state of the cluster for a Gateway object and makes changes based on the state read
 // and what is in the Gateway.Spec

pkg/yurtmanager/controller/servicetopology/endpoints/service_topology_endpoints_controller.go

@@ -85,9 +85,9 @@ func add(mgr manager.Manager, cfg *appconfig.CompletedConfig, r reconcile.Reconc
 	return nil
 }
 
-// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch
-// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools,verbs=get;list;watch
-// +kubebuilder:rbac:groups=core,resources=endpoints,verbs=get;list;watch;patch
+// +kubebuilder:rbac:groups=core,resources=services,verbs=get
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools,verbs=get
+// +kubebuilder:rbac:groups=core,resources=endpoints,verbs=get;patch
 
 // Reconcile reads that state of the cluster for endpoints object and makes changes based on the state read
 func (r *ReconcileServicetopologyEndpoints) Reconcile(_ context.Context, request reconcile.Request) (reconcile.Result, error) {

pkg/yurtmanager/controller/servicetopology/endpointslice/service_topology_endpointslice_controller.go

@@ -99,9 +99,9 @@ func newReconciler(_ *appconfig.CompletedConfig, mgr manager.Manager) *Reconcile
 	return r
 }
 
-// +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch
-// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools,verbs=get;list;watch
-// +kubebuilder:rbac:groups=discovery.k8s.io,resources=endpointslices,verbs=get;list;watch;patch
+// +kubebuilder:rbac:groups=core,resources=services,verbs=get
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools,verbs=get
+// +kubebuilder:rbac:groups=discovery.k8s.io,resources=endpointslices,verbs=get;patch
 
 // Reconcile reads that state of the cluster for endpointslice object and makes changes based on the state read
 func (r *ReconcileServiceTopologyEndpointSlice) Reconcile(_ context.Context, request reconcile.Request) (reconcile.Result, error) {

pkg/yurtmanager/controller/yurtappdaemon/yurt_app_daemon_controller.go

@@ -123,11 +123,11 @@ func newReconciler(mgr manager.Manager) reconcile.Reconciler {
 	}
 }
 
-// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappdaemons,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappdaemons,verbs=get;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappdaemons/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps,resources=deployments/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=apps,resources=controllerrevisions,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps,resources=controllerrevisions,verbs=get;create;update;patch;delete
 
 // Reconcile reads that state of the cluster for a YurtAppDaemon object and makes changes based on the state read
 // and what is in the YurtAppDaemon.Spec

pkg/yurtmanager/controller/yurtappoverrider/yurt_app_overrider_controller.go

@@ -104,10 +104,10 @@ func add(mgr manager.Manager, cfg *appconfig.CompletedConfig, r reconcile.Reconc
 	return nil
 }
 
-// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappoverriders,verbs=get;list;watch
-// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappsets,verbs=get;watch
-// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappdaemons,verbs=get;watch
-// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=list;watch;update
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappoverriders,verbs=get
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappsets,verbs=get
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappdaemons,verbs=get
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=update
 
 // Reconcile reads that state of the cluster for a YurtAppOverrider object and makes changes based on the state read
 // and what is in the YurtAppOverrider.Spec

pkg/yurtmanager/controller/yurtappset/yurt_app_set_controller.go

@@ -191,14 +191,14 @@ type ReconcileYurtAppSet struct {
 	workloadManagers map[workloadmanager.TemplateType]workloadmanager.WorkloadManager
 }
 
-// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappsets,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools,verbs=get;list;watch;
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappsets,verbs=get;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps.openyurt.io,resources=nodepools,verbs=get
 // +kubebuilder:rbac:groups=apps.openyurt.io,resources=yurtappsets/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps,resources=statefulsets/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;create;update;patch;delete
 // +kubebuilder:rbac:groups=apps,resources=deployments/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=apps,resources=controllerrevisions,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=apps,resources=controllerrevisions,verbs=get;create;update;patch;delete
 
 // Reconcile reads that state of the cluster for a YurtAppSet object and makes changes based on the state read
 // and what is in the YurtAppSet.Spec