From a9f80c70b2ceb7ad16849a694bbccebec1ee6415 Mon Sep 17 00:00:00 2001 From: Chris Friesen Date: Mon, 9 Dec 2019 10:56:19 -0600 Subject: [PATCH] update RBAC rules in e2e aggregator test Add the "get" and "watch" verbs to the ClusterRole created for the sample apiserver. Without this, the test complains about "Failed to watch..." the resources in question. Strictly speaking the "get" verb doesn't seem to be needed, but this aligns the e2e test with the example at staging/src/k8s.io/sample-apiserver/artifacts/example/rbac.yaml --- test/e2e/apimachinery/aggregator.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e/apimachinery/aggregator.go b/test/e2e/apimachinery/aggregator.go index 7b17d148309..86a0e7b287d 100644 --- a/test/e2e/apimachinery/aggregator.go +++ b/test/e2e/apimachinery/aggregator.go @@ -144,8 +144,8 @@ func TestSampleAPIServer(f *framework.Framework, aggrclient *aggregatorclient.Cl // role for listing ValidatingWebhookConfiguration/MutatingWebhookConfiguration/Namespaces ObjectMeta: metav1.ObjectMeta{Name: "sample-apiserver-reader"}, Rules: []rbacv1.PolicyRule{ - rbacv1helpers.NewRule("list").Groups("").Resources("namespaces").RuleOrDie(), - rbacv1helpers.NewRule("list").Groups("admissionregistration.k8s.io").Resources("*").RuleOrDie(), + rbacv1helpers.NewRule("get", "list", "watch").Groups("").Resources("namespaces").RuleOrDie(), + rbacv1helpers.NewRule("get", "list", "watch").Groups("admissionregistration.k8s.io").Resources("*").RuleOrDie(), }, }) framework.ExpectNoError(err, "creating cluster role %s", "sample-apiserver-reader")