From 392815d97c470f42273fb3aec0a2105248f9d066 Mon Sep 17 00:00:00 2001 From: onock <69904894+onock@users.noreply.github.com> Date: Thu, 20 Jan 2022 21:17:09 +0100 Subject: [PATCH] [cert-manager] Fix missing RBAC rules for ClusterRole cert-manager-cainjector kubernetes-sigs#8104. (#8444) --- .../cert_manager/templates/cert-manager.yml.j2 | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 index 62930d5dd..10df7bb1e 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 @@ -93,6 +93,12 @@ rules: - apiGroups: ["auditregistration.k8s.io"] resources: ["auditsinks"] verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "update"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "update"] --- # Source: cert-manager/templates/rbac.yaml # Issuer controller role @@ -661,7 +667,7 @@ rules: --- # Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: name: cert-manager:leaderelection namespace: {{ cert_manager_leader_election_namespace }} @@ -739,7 +745,7 @@ subjects: # grant cert-manager permission to manage the leaderelection configmap in the # leader election namespace apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: name: cert-manager:leaderelection namespace: {{ cert_manager_leader_election_namespace }} @@ -751,7 +757,7 @@ metadata: app.kubernetes.io/version: "{{ cert_manager_version }}" roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role + kind: ClusterRole name: cert-manager:leaderelection subjects: - apiGroup: ""