Merge pull request #818 from EladDolev/helm_fix_rbac

k8s-ci-robot · web-flow · commit be7f71fd9c64 · 2024-11-05T19:07:29.000Z
Dynamically add required RBAC in Helm chart
diff --git a/manifests/install/charts/as-a-second-scheduler/templates/rbac.yaml b/manifests/install/charts/as-a-second-scheduler/templates/rbac.yaml
@@ -62,20 +62,23 @@ rules:
 - apiGroups: ["topology.node.k8s.io"]
   resources: ["noderesourcetopologies"]
   verbs: ["get", "list", "watch"]
-# resources need to be updated with the scheduler plugins used
 - apiGroups: ["scheduling.x-k8s.io"]
   resources: ["podgroups", "elasticquotas", "podgroups/status", "elasticquotas/status"]
   verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
-# for network-aware plugins add the following lines
-#- apiGroups: [ "appgroup.diktyo.x-k8s.io" ]
-#  resources: [ "appgroups" ]
-#  verbs: [ "get", "list", "watch", "create", "delete", "update", "patch" ]
-#- apiGroups: [ "networktopology.diktyo.x-k8s.io" ]
-#  resources: [ "networktopologies" ]
-#  verbs: [ "get", "list", "watch", "create", "delete", "update", "patch" ]
-#- apiGroups: ["security-profiles-operator.x-k8s.io"]
-#  resources: ["seccompprofiles", "profilebindings"]
-#  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+{{- /* resources need to be updated with the scheduler plugins used */}}
+{{- if has "NetworkOverhead" .Values.plugins.enabled }}
+- apiGroups: [ "appgroup.diktyo.x-k8s.io" ]
+  resources: [ "appgroups" ]
+  verbs: [ "get", "list", "watch", "create", "delete", "update", "patch" ]
+- apiGroups: [ "networktopology.diktyo.x-k8s.io" ]
+  resources: [ "networktopologies" ]
+  verbs: [ "get", "list", "watch", "create", "delete", "update", "patch" ]
+{{- end }}
+{{- if has "SySched" .Values.plugins.enabled }}
+- apiGroups: ["security-profiles-operator.x-k8s.io"]
+  resources: ["seccompprofiles", "profilebindings"]
+  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+{{- end }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -107,13 +110,20 @@ rules:
 - apiGroups: ["topology.node.k8s.io"]
   resources: ["noderesourcetopologies"]
   verbs: ["get", "list", "watch"]
-# resources need to be updated with the scheduler plugins used
 - apiGroups: ["scheduling.x-k8s.io"]
   resources: ["podgroups", "elasticquotas", "podgroups/status", "elasticquotas/status"]
   verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
-#- apiGroups: ["security-profiles-operator.x-k8s.io"]
-#  resources: ["seccompprofiles", "profilebindings"]
-#  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+{{- /* resources need to be updated with the scheduler plugins used */}}
+{{- if has "PreemptionToleration" .Values.plugins.enabled }}
+- apiGroups: ["scheduling.k8s.io"]
+  resources: ["priorityclasses"]
+  verbs: ["get", "list", "watch"]
+{{- end }}
+{{- if has "SySched" .Values.plugins.enabled }}
+- apiGroups: ["security-profiles-operator.x-k8s.io"]
+  resources: ["seccompprofiles", "profilebindings"]
+  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+{{- end }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
