From 0c2143ce6ae0d4fabdef38df7e9b474dd43def1b Mon Sep 17 00:00:00 2001 From: Christian Schwede Date: Mon, 29 Apr 2024 10:16:46 +0200 Subject: [PATCH] Fix Pod watch RBAC error Commit a987062 restricted the RBAC permissions for Pods to Get and List operations, as these are the only ones required by the swift-operator itself. However, Get/List operations are using an informerCache, which itself sets up a Watch to the objects. Without the required watch permission this throws an error in the operator log like this: Failed to watch *v1.Pod: unknown (get pods) --- config/rbac/role.yaml | 1 + controllers/swiftstorage_controller.go | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 16bd438..5346d21 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -12,6 +12,7 @@ rules: verbs: - get - list + - watch - apiGroups: - "" resources: diff --git a/controllers/swiftstorage_controller.go b/controllers/swiftstorage_controller.go index ffaebf3..324d72f 100644 --- a/controllers/swiftstorage_controller.go +++ b/controllers/swiftstorage_controller.go @@ -83,7 +83,7 @@ type Netconfig struct { //+kubebuilder:rbac:groups=memcached.openstack.org,resources=memcacheds,verbs=get;list;watch; //+kubebuilder:rbac:groups=network.openstack.org,resources=dnsdata,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list -//+kubebuilder:rbac:groups="",resources=pods,verbs=get;list +//+kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch; // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state.