deploy/concierge: add RBAC for flowschemas and prioritylevelconfigurations
As of upgrading to Kubernetes 1.20, our aggregated API server nows runs some controllers for the two flowcontrol.apiserver.k8s.io resources in the title of this commit, so it needs RBAC to read them. This should get rid of the following error messages in our Concierge logs: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:concierge:concierge" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:concierge:concierge" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
parent
9c64476aee
commit
2ae631b603
@ -21,6 +21,9 @@ rules:
|
|||||||
- apiGroups: [ admissionregistration.k8s.io ]
|
- apiGroups: [ admissionregistration.k8s.io ]
|
||||||
resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ]
|
resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ]
|
||||||
verbs: [ get, list, watch ]
|
verbs: [ get, list, watch ]
|
||||||
|
- apiGroups: [ flowcontrol.apiserver.k8s.io ]
|
||||||
|
resources: [ flowschemas, prioritylevelconfigurations ]
|
||||||
|
verbs: [ get, list, watch ]
|
||||||
- apiGroups: [ policy ]
|
- apiGroups: [ policy ]
|
||||||
resources: [ podsecuritypolicies ]
|
resources: [ podsecuritypolicies ]
|
||||||
verbs: [ use ]
|
verbs: [ use ]
|
||||||
|
Loading…
Reference in New Issue
Block a user