github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-28 02:18:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

[cozystack-api] Add missing roles for controller (#1342)

Browse Source 
<!-- Thank you for making a contribution! Here are some tips for you:
- Start the PR title with the [label] of Cozystack component:
- For system components: [platform], [system], [linstor], [cilium],
[kube-ovn], [dashboard], [cluster-api], etc.
- For managed apps: [apps], [tenant], [kubernetes], [postgres],
[virtual-machine] etc.
- For development and maintenance: [tests], [ci], [docs], [maintenance].
- If it's a work in progress, consider creating this PR as a draft.
- Don't hesistate to ask for opinion and review in the community chats,
even if it's still a draft.
- Add the label `backport` if it's a bugfix that needs to be backported
to a previous version.
-->

## What this PR does


### Release note

<!--  Write a release note:
- Explain what has changed internally and for users.
- Start with the same [label] as in the PR title
- Follow the guidelines at
https://github.com/kubernetes/community/blob/master/contributors/guide/release-notes.md.
-->

```release-note
- controller add roles
```

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Expanded controller permissions to read Kubernetes deployments (get,
list, watch) for improved deployment visibility.
* Added a scoped role allowing the controller to patch and update a
specific deployment within the system namespace.
* Bound the controller’s service account to the new role to enable these
targeted actions.

* **Bug Fixes**
* Resolved permission gaps that could prevent the controller from
observing or updating the targeted deployment.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This commit is contained in:
Andrei Kvapil
2025-08-18 19:05:28 +02:00
committed by GitHub
parent 90f6169bad d430048ba3
commit d360c179d1
2 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
packages/system/cozystack-controller/templates/rbac.yaml
View File

@@ -15,3 +15,6 @@ rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]

25
packages/system/cozystack-controller/templates/role.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cozystack-controller-deployment-patch-update
namespace: cozy-system
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
resourceNames: ["cozystack-api"]
verbs: ["patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cozystack-controller-deployment-patch-update
namespace: cozy-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cozystack-controller-deployment-patch-update
subjects:
- kind: ServiceAccount
name: cozystack-controller
namespace: cozy-system