[Misc] Fix storm service rbac issue

[Jeffwan]

Pull Request Description

Related Issues

Resolves: #[Insert issue number(s)]

Important: Before submitting, please complete the description above and review the checklist below.

---

Contribution Guidelines (Expand for Details)

We appreciate your contribution to aibrix! To ensure a smooth review process and maintain high code quality, please adhere to the following guidelines:

Pull Request Title Format

Your PR title should start with one of these prefixes to indicate the nature of the change:

• [Bug]: Corrections to existing functionality
• [CI]: Changes to build process or CI pipeline
• [Docs]: Updates or additions to documentation
• [API]: Modifications to aibrix's API or interface
• [CLI]: Changes or additions to the Command Line Interface
• [Misc]: For changes not covered above (use sparingly)

Note: For changes spanning multiple categories, use multiple prefixes in order of importance.

Submission Checklist

• PR title includes appropriate prefix(es)
• Changes are clearly explained in the PR description
• New and existing tests pass successfully
• Code adheres to project style and best practices
• Documentation updated to reflect changes (if applicable)
• Thorough testing completed, no regressions introduced

By submitting this PR, you confirm that you've read these guidelines and your changes align with the project's contribution standards.

[gemini-code-assist]

Summary of Changes

Hello @Jeffwan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on addressing and expanding Role-Based Access Control (RBAC) permissions within the system. It ensures that the stormservice and roleset controllers have the necessary authorizations to manage their respective custom resources and interact with core Kubernetes resources like Pods and ControllerRevisions, resolving potential permission-related operational issues.

Highlights

• Core Controller RBAC Expansion: The main controller-manager role (config/rbac/controller-manager/role.yaml) has been updated to include permissions for controllerrevisions within the apps API group. Additionally, comprehensive create, delete, update (for finalizers), get, and patch (for status) permissions have been granted for rolesets and stormservices custom resources under the orchestration.aibrix.ai API group.
• RoleSet Controller Permissions: The RoleSet controller's kubebuilder:rbac annotations (pkg/controller/roleset/roleset_controller.go) were extended to grant it full management capabilities (get, list, watch, create, update, patch, delete, deletecollection) over Pods and their status and exec subresources within the core API group.
• StormService Controller Permissions: Similarly, the StormService controller's kubebuilder:rbac annotations (pkg/controller/stormservice/stormservice_controller.go) now include permissions for managing Pods (get, list, watch, create, update, patch, delete, deletecollection) and their status and exec subresources, as well as controllerrevisions within the apps API group.
• Logging Refinement: A minor change was made in pkg/controller/roleset/rolesyncer.go to remove a redundant prefix ([StatefulRoleSyncer.printLog]) from a klog.Infof log message for cleaner output.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request fixes RBAC issues by adding permissions for stormservice and roleset controllers, including permissions for new CRDs and managing controllerrevisions. However, the permissions for pods/status and pods/exec are overly permissive. This review suggests correcting these permissions to adhere to the principle of least privilege.