Update cluster-role for cilium to prevent errors in agent startup (#11466)

* Update cluster-role for cilium to prevent errors in agent startup

ciliumloadbalancerippools permissions exists in the cilium helm chart for version 1.13.0
https://github.com/cilium/cilium/blob/v1.13.0/install/kubernetes/cilium/templates/cilium-agent/clusterrole.yaml#L71

The agent also needs permissions to read/watch secrets for bgp auth secrets when using CiliumBGPPeeringPolicy with a secret.

* Remove list/watch permissions for secrets

* Remove secrets from list/watch permissions
pull/11584/head
Baargav 2024-09-28 21:30:02 -04:00 committed by GitHub
parent 8c3b2851f6
commit 860c15cec1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 0 deletions

View File

@ -32,6 +32,12 @@ rules:
- get - get
- list - list
- watch - watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
{% if cilium_version | regex_replace('v') is version('1.12', '<') %} {% if cilium_version | regex_replace('v') is version('1.12', '<') %}
- apiGroups: - apiGroups:
- "" - ""
@ -98,6 +104,9 @@ rules:
{% if cilium_version | regex_replace('v') is version('1.12', '>=') %} {% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
- ciliumbgploadbalancerippools - ciliumbgploadbalancerippools
- ciliumbgppeeringpolicies - ciliumbgppeeringpolicies
{% if cilium_version | regex_replace('v') is version('1.13', '>=') %}
- ciliumloadbalancerippools
{% endif %}
{% endif %} {% endif %}
{% if cilium_version | regex_replace('v') is version('1.11.5', '<') %} {% if cilium_version | regex_replace('v') is version('1.11.5', '<') %}
- ciliumnetworkpolicies/finalizers - ciliumnetworkpolicies/finalizers