fix: restore missing batch/jobs permissions and add PVC permissions to executor role

enriquegh · enriquegh · commit 12a2d671d741 · 2025-07-10T09:08:12.000-06:00
- Re-add batch/jobs create/delete permissions that were accidentally removed
    - Add persistentvolumeclaims create/delete permissions for job workspaces
    - Right-size pod permissions to get/list/watch only
    - Fixes customer-reported "cannot create resource persistentvolumeclaims" errors
    - Resolves batch changes functionality breaking due to missing permissions
diff --git a/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml b/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml
@@ -9,17 +9,29 @@ metadata:
     sourcegraph-resource-requires: cluster-admin
     app.kubernetes.io/component: executor
 rules:
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - create
+      - delete
   - apiGroups:
       - ""
     resources:
       - pods
       - pods/log
-      - secrets
-      - persistentvolumeclaims
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - persistentvolumeclaims
+    verbs:
+      - get
       - create
       - delete
 {{- end }}
