From 59556443b54e6de3b390fbba33b49d58cb2625de Mon Sep 17 00:00:00 2001 From: Javier Cano Cano Date: Wed, 25 Oct 2023 11:57:03 +0200 Subject: [PATCH] Add missing RBAC permissions The verbs `list` and `watch` for namespace objects are required for recovering unhealthy nodes. Otherwise, the remediation tasks do not finish successfully. Signed-off-by: Javier Cano Cano --- .../fence-agents-remediation.clusterserviceversion.yaml | 8 ++++++++ config/rbac/role.yaml | 8 ++++++++ controllers/fenceagentsremediation_controller.go | 1 + 3 files changed, 17 insertions(+) diff --git a/bundle/manifests/fence-agents-remediation.clusterserviceversion.yaml b/bundle/manifests/fence-agents-remediation.clusterserviceversion.yaml index 556a048f..be23040b 100644 --- a/bundle/manifests/fence-agents-remediation.clusterserviceversion.yaml +++ b/bundle/manifests/fence-agents-remediation.clusterserviceversion.yaml @@ -132,6 +132,14 @@ spec: spec: clusterPermissions: - rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 9bbcf628..a09bb297 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -4,6 +4,14 @@ kind: ClusterRole metadata: name: manager-role rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch - apiGroups: - "" resources: diff --git a/controllers/fenceagentsremediation_controller.go b/controllers/fenceagentsremediation_controller.go index 53a5df02..a550852b 100644 --- a/controllers/fenceagentsremediation_controller.go +++ b/controllers/fenceagentsremediation_controller.go @@ -70,6 +70,7 @@ func (r *FenceAgentsRemediationReconciler) SetupWithManager(mgr ctrl.Manager) er //+kubebuilder:rbac:groups=core,resources=pods/exec,verbs=create //+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;update;delete;deletecollection //+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch;update;delete +//+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch //+kubebuilder:rbac:groups=fence-agents-remediation.medik8s.io,resources=fenceagentsremediations,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=fence-agents-remediation.medik8s.io,resources=fenceagentsremediations/status,verbs=get;update;patch //+kubebuilder:rbac:groups=fence-agents-remediation.medik8s.io,resources=fenceagentsremediations/finalizers,verbs=update