From f2cfb4f8707ab527eae828919c53ec3d837fd379 Mon Sep 17 00:00:00 2001 From: Timofei Larkin Date: Mon, 15 Sep 2025 18:49:33 +0300 Subject: [PATCH] [cozystack-controller] Clusterwide read perms In an earlier patch the Cozystack controller now reads arbitrary objects in the cluster to establish the lineage of any created pod, service, pvc, or secret. These objects may be created by various other controllers, so in general, the controller now requires read permissions on arbitrary objects in the cluster. ```release-note [cozystack-controler] Fix an RBAC error that prevented the workload labelling feature from working. ``` Signed-off-by: Timofei Larkin --- packages/system/cozystack-controller/templates/rbac.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/packages/system/cozystack-controller/templates/rbac.yaml b/packages/system/cozystack-controller/templates/rbac.yaml index 4aa17a29..917b736f 100644 --- a/packages/system/cozystack-controller/templates/rbac.yaml +++ b/packages/system/cozystack-controller/templates/rbac.yaml @@ -3,9 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cozystack-controller rules: -- apiGroups: [""] - resources: ["configmaps", "pods", "namespaces", "nodes", "services", "persistentvolumes", "persistentvolumeclaims"] - verbs: ["get", "watch", "list"] - apiGroups: ['cozystack.io'] resources: ['*'] verbs: ['*'] @@ -15,6 +12,6 @@ rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list", "watch", "patch", "update"] -- apiGroups: ["apps"] - resources: ["deployments"] +- apiGroups: ['*'] + resources: ['*'] verbs: ["get", "list", "watch"]