From 6d3b06125ebee49ae313e57351a3a62217660040 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <jliggitt@redhat.com>
Date: Mon, 9 Jan 2017 23:28:22 -0500
Subject: [PATCH] Allow the persistent volume binder to watch events

---
 .../authorizer/rbac/bootstrappolicy/controller_policy.go   | 3 +++
 .../rbac/bootstrappolicy/testdata/controller-roles.yaml    | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
index 3e594de805e..9db4ac40e94 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@@ -188,6 +188,9 @@ func init() {
 			rbac.NewRule("get", "create", "delete").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(),
 			rbac.NewRule("get").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
 
+			// recyclerClient.WatchPod
+			rbac.NewRule("watch").Groups(legacyGroup).Resources("events").RuleOrDie(),
+
 			eventsRule(),
 		},
 	})
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
index 69630f83c9d..2ff78c64e60 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
@@ -649,6 +649,13 @@ items:
     - secrets
     verbs:
     - get
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - events
+    verbs:
+    - watch
   - apiGroups:
     - ""
     attributeRestrictions: null