External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-01-09 23:12:10 -03:30
Code Issues Packages Projects Releases Wiki Activity

Update Calico apiserver RBAC for Kubernetes 1.33+ (#12695)

Browse Source 
Add missing RBAC permissions for Calico apiserver to function correctly
with Kubernetes 1.33+

Changes:

1. Add K8s 1.33 ValidatingAdmissionPolicy resources to calico-webhook-reader
   - validatingadmissionpolicies
   - validatingadmissionpolicybindings

Kubernetes 1.33 introduced ValidatingAdmissionPolicy resources (KEP-3488)
that require explicit RBAC permissions. Without these changes, Calico
apiserver on k8s 1.33+ will not work and needless errors are logged

Co-authored-by: rickerc <chris.ricker@gmail.com>
This commit is contained in:
k8s-infra-cherrypick-robot 2025-11-14 04:49:38 -08:00 committed by GitHub
parent fe566df651
commit e5a1f68a2c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
roles/network_plugin/calico/templates/calico-apiserver.yml.j2
View File

@ -235,6 +235,8 @@ rules:
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- validatingadmissionpolicies # Required for Kubernetes 1.33+
- validatingadmissionpolicybindings # Required for Kubernetes 1.33+
verbs:
- get
- list