From 8cc56945805b1acd1b80aeb96d47716c97c6697b Mon Sep 17 00:00:00 2001
From: Cyclinder <kuocyclinder@gmail.com>
Date: Tue, 13 May 2025 16:43:17 +0800
Subject: [PATCH] calico: update calico-kube-controller manifest (#12169)

---
 .../templates/calico-kube-controllers.yml.j2       |  6 ++++++
 .../calico/templates/calico-kube-cr.yml.j2         | 14 +-------------
 2 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
index 0941d29c3..36c22f18e 100644
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
@@ -30,6 +30,8 @@ spec:
           operator: Exists
         - key: node-role.kubernetes.io/control-plane
           effect: NoSchedule
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
 {% if policy_controller_extra_tolerations is defined %}
         {{ policy_controller_extra_tolerations | list | to_nice_yaml(indent=2) | indent(8) }}
 {% endif %}
@@ -59,6 +61,8 @@ spec:
               - /usr/bin/check-status
               - -r
             periodSeconds: 10
+          securityContext:
+            runAsNonRoot: true
           env:
             - name: LOG_LEVEL
               value: {{ calico_policy_controller_log_level }}
@@ -68,6 +72,8 @@ spec:
             - name: DATASTORE_TYPE
               value: kubernetes
 {% else %}
+            - name: ENABLED_CONTROLLERS
+              value: policy,namespace,serviceaccount,workloadendpoint,node
             - name: ETCD_ENDPOINTS
               value: "{{ etcd_access_addresses }}"
             - name: ETCD_CA_CERT_FILE
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
index 2181a9738..27652f0c9 100644
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
@@ -19,19 +19,6 @@ rules:
       - watch
       - list
       - get
-  - apiGroups:
-    - ""
-    resources:
-      - nodes
-    verbs:
-      - get
-  - apiGroups:
-    - networking.k8s.io
-    resources:
-      - networkpolicies
-    verbs:
-      - watch
-      - list
 {% elif calico_datastore == "kdd" %}
   # Nodes are watched to monitor for deletions.
   - apiGroups: [""]
@@ -67,6 +54,7 @@ rules:
       - blockaffinities
       - ipamblocks
       - ipamhandles
+      - tiers
     verbs:
       - get
       - list