github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-27 10:18:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

[cozystack-controller] Clusterwide read perms

Browse Source 
In an earlier patch the Cozystack controller now reads arbitrary objects
in the cluster to establish the lineage of any created pod, service,
pvc, or secret. These objects may be created by various other
controllers, so in general, the controller now requires read permissions
on arbitrary objects in the cluster.

```release-note
[cozystack-controler] Fix an RBAC error that prevented the workload
labelling feature from working.
```

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
This commit is contained in:
Timofei Larkin
2025-09-15 18:49:33 +03:00
parent 08b5217b72
commit f2cfb4f870
1 changed files with 2 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
packages/system/cozystack-controller/templates/rbac.yaml
View File

@@ -3,9 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cozystack-controller
rules:
- apiGroups: [""]
resources: ["configmaps", "pods", "namespaces", "nodes", "services", "persistentvolumes", "persistentvolumeclaims"]
verbs: ["get", "watch", "list"]
- apiGroups: ['cozystack.io']
resources: ['*']
verbs: ['*']
@@ -15,6 +12,6 @@ rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["apps"]
resources: ["deployments"]
- apiGroups: ['*']
resources: ['*']
verbs: ["get", "list", "watch"]