operator: Include ClusterRole permission for redpanda controller#542
Merged
RafalKorepta merged 1 commit intomainfrom Mar 20, 2025
Merged
operator: Include ClusterRole permission for redpanda controller#542RafalKorepta merged 1 commit intomainfrom
RafalKorepta merged 1 commit intomainfrom
Conversation
In the redpanda package the kubebuilder comment does not have all possible
variants of ClusterRole permissions neccessery to handle creation of all
Redpanda helm chart resources. During integration test suite execution
controller runtime complain about leases permissions missing.
```
error: deploying *v1.Role: \"rp-4bpw0i-sidecar-controllers\":
roles.rbac.authorization.k8s.io \"rp-4bpw0i-sidecar-controllers\" is forbidden:
user \"system:serviceaccount:testenv-wm758:testenv-pzy3ce\"
(groups=[\"system:serviceaccounts\" \"system:serviceaccounts:testenv-wm758\" \"system:authenticated\"])
is attempting to grant RBAC permissions not currently held:
{APIGroups:[\"coordination.k8s.io\"], Resources:[\"leases\"], Verbs:[\"create\" \"delete\" \"get\" \"list\" \"patch\" \"update\" \"watch\"]}"
```
The setup of integration test suite included only permissions defined in redpanda package.
Kustomize and Operator helm chart includes those missing permissions.
RafalKorepta
requested review from
andrewstucki,
chrisseto and
gene-redpanda
as code owners
chrisseto
approved these changes
Mar 20, 2025
Contributor
chrisseto
left a comment
chrisseto
left a comment
There was a problem hiding this comment.
LGTM as is but I wonder if it'd be better to disable the K8S API integrations of the sidecars when they're deployed from the operator.
Contributor
Author
It's not possible to disable leases that needs to be created in order to deploy even single Redapnda Pod. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In the redpanda package the kubebuilder comment does not have all possible variants of ClusterRole permissions neccessery to handle creation of all Redpanda helm chart resources. During integration test suite execution controller runtime complain about leases permissions missing.
The setup of integration test suite included only permissions defined in redpanda package. Kustomize and Operator helm chart includes those missing permissions.
The failure started from #521 PR