From 86ae8b593624d35931a7ccb6b77b62496c3788dd Mon Sep 17 00:00:00 2001 From: Quan Tian Date: Fri, 13 Dec 2024 18:00:23 +0800 Subject: [PATCH] Add watch permission to namespace-controller for WatchListClient feature The WatchListClient feature is enabled for kube-controller-manager, but namespace-controller misses the necessary "watch" permission, which results in 30 error logs being generated every time a namespace is deleted and falling back to the standard LIST semantics. Signed-off-by: Quan Tian --- .../auth/authorizer/rbac/bootstrappolicy/controller_policy.go | 2 +- .../rbac/bootstrappolicy/testdata/controller-roles.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index 5d6e31dec44..f23a3751291 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -254,7 +254,7 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) Rules: []rbacv1.PolicyRule{ rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(legacyGroup).Resources("namespaces").RuleOrDie(), rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("namespaces/finalize", "namespaces/status").RuleOrDie(), - rbacv1helpers.NewRule("get", "list", "delete", "deletecollection").Groups("*").Resources("*").RuleOrDie(), + rbacv1helpers.NewRule("get", "list", "watch", "delete", "deletecollection").Groups("*").Resources("*").RuleOrDie(), }, }) addControllerRole(&controllerRoles, &controllerRoleBindings, func() rbacv1.ClusterRole { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index c3c941a0b9b..f89dea6d4a5 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -875,6 +875,7 @@ items: - deletecollection - get - list + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: