From 91bd11681aafa22d28776f90097d74c03be701ea Mon Sep 17 00:00:00 2001 From: knight42 Date: Thu, 24 Sep 2020 16:14:06 +0800 Subject: [PATCH] fix: correct glbc ClusterRole Signed-off-by: knight42 --- .../addons/rbac/cluster-loadbalancing/glbc/roles.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/cluster/addons/rbac/cluster-loadbalancing/glbc/roles.yaml b/cluster/addons/rbac/cluster-loadbalancing/glbc/roles.yaml index 8d25daefd6a..3e7736c2f9d 100644 --- a/cluster/addons/rbac/cluster-loadbalancing/glbc/roles.yaml +++ b/cluster/addons/rbac/cluster-loadbalancing/glbc/roles.yaml @@ -35,7 +35,7 @@ rules: - apiGroups: ["extensions", "networking.k8s.io"] resources: ["ingresses"] verbs: ["get", "list", "watch"] -# For now, GLBC annotates ingress resources with various state and statuses: +# For now, GLBC annotates ingress resources with various state and statuses: # https://github.com/kubernetes/ingress-gce/blob/50d49b077d9ab4362a02fae05f94e433cd3f08dc/pkg/controller/controller.go#L579 # TODO(rramkumar1): Remove unnecessary `update` permission once statuses are propagated through `ingresses/status` - apiGroups: ["extensions", "networking.k8s.io"] @@ -44,8 +44,9 @@ rules: - apiGroups: ["extensions", "networking.k8s.io"] resources: ["ingresses/status"] verbs: ["update", "patch"] -# GLBC ensures that the `cloud.google.com/backendconfigs` CRD exists in a desired state: -# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/cmd/glbc/main.go#L93 +# GLBC ensures that the `cloud.google.com/backendconfigs` and `networking.gke.io/servicenetworkendpointgroups` CRD exists in a desired state: +# https://github.com/kubernetes/ingress-gce/blob/5c3fcb5845e74b92ea8bd52929b15fc5c9fa7970/cmd/glbc/main.go#L108 +# https://github.com/kubernetes/ingress-gce/blob/5c3fcb5845e74b92ea8bd52929b15fc5c9fa7970/cmd/glbc/main.go#L133 # TODO(rramkumar1): https://github.com/kubernetes/ingress-gce/issues/744 - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] @@ -53,3 +54,6 @@ rules: - apiGroups: ["cloud.google.com"] resources: ["backendconfigs"] verbs: ["get", "list", "watch", "update", "create", "patch"] +- apiGroups: ["networking.gke.io"] + resources: ["servicenetworkendpointgroups"] + verbs: ["get", "list", "watch", "update", "create", "patch"]