Browse Source
Fix calico etcd mode networkpolicy RBAC (#12587)
Co-authored-by: Chad Swenson <chadswen@gmail.com>
release-2.28
k8s-infra-cherrypick-robot
5 days ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with
12 additions and
5 deletions
-
roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
|
|
|
@ -6,19 +6,26 @@ metadata: |
|
|
|
namespace: kube-system |
|
|
|
rules: |
|
|
|
{% if calico_datastore == "etcd" %} |
|
|
|
- apiGroups: |
|
|
|
- "" |
|
|
|
- extensions |
|
|
|
# Pods are monitored for changing labels. |
|
|
|
# The node controller monitors Kubernetes nodes. |
|
|
|
# Namespace and serviceaccount labels are used for policy. |
|
|
|
- apiGroups: [""] |
|
|
|
resources: |
|
|
|
- pods |
|
|
|
- namespaces |
|
|
|
- networkpolicies |
|
|
|
- nodes |
|
|
|
- namespaces |
|
|
|
- serviceaccounts |
|
|
|
verbs: |
|
|
|
- watch |
|
|
|
- list |
|
|
|
- get |
|
|
|
# Watch for changes to Kubernetes NetworkPolicies. |
|
|
|
- apiGroups: ["networking.k8s.io"] |
|
|
|
resources: |
|
|
|
- networkpolicies |
|
|
|
verbs: |
|
|
|
- watch |
|
|
|
- list |
|
|
|
{% elif calico_datastore == "kdd" %} |
|
|
|
# Nodes are watched to monitor for deletions. |
|
|
|
- apiGroups: [""] |
|
|
|
|
