From 2ae631b6036e2deb2c23b2988970aa3f56912026 Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Fri, 5 Feb 2021 08:19:12 -0500 Subject: [PATCH] deploy/concierge: add RBAC for flowschemas and prioritylevelconfigurations As of upgrading to Kubernetes 1.20, our aggregated API server nows runs some controllers for the two flowcontrol.apiserver.k8s.io resources in the title of this commit, so it needs RBAC to read them. This should get rid of the following error messages in our Concierge logs: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:concierge:concierge" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:concierge:concierge" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope Signed-off-by: Andrew Keesler --- deploy/concierge/rbac.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deploy/concierge/rbac.yaml b/deploy/concierge/rbac.yaml index 8df8734b..b9165714 100644 --- a/deploy/concierge/rbac.yaml +++ b/deploy/concierge/rbac.yaml @@ -21,6 +21,9 @@ rules: - apiGroups: [ admissionregistration.k8s.io ] resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ] verbs: [ get, list, watch ] + - apiGroups: [ flowcontrol.apiserver.k8s.io ] + resources: [ flowschemas, prioritylevelconfigurations ] + verbs: [ get, list, watch ] - apiGroups: [ policy ] resources: [ podsecuritypolicies ] verbs: [ use ]