External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-02-25 23:16:05 -03:30
Code Issues Packages Projects Releases Wiki Activity

Update cluster-role for cilium to prevent errors in agent startup (#11466)

Browse Source 
* Update cluster-role for cilium to prevent errors in agent startup

ciliumloadbalancerippools permissions exists in the cilium helm chart for version 1.13.0
https://github.com/cilium/cilium/blob/v1.13.0/install/kubernetes/cilium/templates/cilium-agent/clusterrole.yaml#L71

The agent also needs permissions to read/watch secrets for bgp auth secrets when using CiliumBGPPeeringPolicy with a secret.

* Remove list/watch permissions for secrets

* Remove secrets from list/watch permissions
This commit is contained in:
Baargav
2024-09-28 21:30:02 -04:00
committed by GitHub
parent 8c3b2851f6
commit 860c15cec1
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
roles/network_plugin/cilium/templates/cilium/cr.yml.j2
View File

@@ -32,6 +32,12 @@ rules:
- get - get
- list - list
- watch - watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
{% if cilium_version | regex_replace('v') is version('1.12', '<') %} {% if cilium_version | regex_replace('v') is version('1.12', '<') %}
- apiGroups: - apiGroups:
- "" - ""
@@ -98,6 +104,9 @@ rules:
{% if cilium_version | regex_replace('v') is version('1.12', '>=') %} {% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
- ciliumbgploadbalancerippools - ciliumbgploadbalancerippools
- ciliumbgppeeringpolicies - ciliumbgppeeringpolicies
{% if cilium_version | regex_replace('v') is version('1.13', '>=') %}
- ciliumloadbalancerippools
{% endif %}
{% endif %} {% endif %}
{% if cilium_version | regex_replace('v') is version('1.11.5', '<') %} {% if cilium_version | regex_replace('v') is version('1.11.5', '<') %}
- ciliumnetworkpolicies/finalizers - ciliumnetworkpolicies/finalizers