Skip to content

Commit

Permalink
add missing RBAC to statefulset-controller for StatefulSetAutoDeleteP…
Browse files Browse the repository at this point in the history 
…VC feature
  • Loading branch information
@atiratree
atiratree committed Sep 2, 2024
1 parent 620c9ed commit 490bafc
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 1 deletion.
3 changes: 2 additions & 1 deletion plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -383,13 +383,14 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
rbacv1helpers.NewRule("update").Groups(appsGroup).Resources("statefulsets/finalizers").RuleOrDie(),
rbacv1helpers.NewRule("get", "create", "delete", "update", "patch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
rbacv1helpers.NewRule("get", "create", "delete", "update", "patch", "list", "watch").Groups(appsGroup).Resources("controllerrevisions").RuleOrDie(),
rbacv1helpers.NewRule("get", "create").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
rbacv1helpers.NewRule("get", "create", "list", "watch").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
eventsRule(),
},
}

if utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
role.Rules = append(role.Rules, rbacv1helpers.NewRule("update", "delete").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie())
role.Rules = append(role.Rules, rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("pods/finalizers").RuleOrDie())
}

return role
Expand Down
8 changes: 8 additions & 0 deletions plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1466,6 +1466,8 @@ items:
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
- events.k8s.io
Expand All @@ -1482,6 +1484,12 @@ items:
verbs:
- delete
- update
- apiGroups:
- ""
resources:
- pods/finalizers
verbs:
- update
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand Down

0 comments on commit 490bafc

Please sign in to comment.