Merge pull request #3864 from Brian-McM/bm-picks-for-1.38

[PICK release-v1.38] add more permissions for gaurdian for net policy

Author: marvin-tigera

pkg/crds/enterprise/crd.projectcalico.org_bgpconfigurations.yaml

@@ -88,6 +88,16 @@ spec:
                 maximum: 65535
                 minimum: 1
                 type: integer
+              localWorkloadPeeringIPV4:
+                description: |-
+                  The virtual IPv4 address of the node with which its local workload is expected to peer.
+                  It is recommended to use a link-local address.
+                type: string
+              localWorkloadPeeringIPV6:
+                description: |-
+                  The virtual IPv6 address of the node with which its local workload is expected to peer.
+                  It is recommended to use a link-local address.
+                type: string
               logSeverityScreen:
                 description: 'LogSeverityScreen is the log severity above which logs
                   are sent to the stdout. [Default: INFO]'

pkg/crds/enterprise/crd.projectcalico.org_bgppeers.yaml

@@ -75,6 +75,11 @@ spec:
                   Setting "true" configures the selected BGP Peers node to use the "next hop keep;"
                   instead of "next hop self;"(default) in the specific branch of the Node on "bird.cfg".
                 type: boolean
+              localWorkloadSelector:
+                description: |-
+                  Selector for the local workload that the node should peer with. When this is set, the peerSelector and peerIP fields must be empty,
+                  and the ASNumber must not be empty.
+                type: string
               maxRestartTime:
                 description: |-
                   Time to allow for software restart.  When specified, this is configured as the graceful

pkg/render/guardian.go

@@ -259,13 +259,20 @@ func (c *GuardianComponent) clusterRole() *rbacv1.ClusterRole {
 				Resources: []string{"deployments", "replicasets", "statefulsets", "daemonsets"},
 				Verbs:     []string{"get", "list", "watch"},
 			},
+			rbacv1.PolicyRule{
+				APIGroups: []string{"networking.k8s.io"},
+				Resources: []string{"networkpolicies"},
+				Verbs:     []string{"get", "list", "watch"},
+			},
 			rbacv1.PolicyRule{
 				APIGroups: []string{"projectcalico.org"},
 				Resources: []string{
 					"clusterinformations",
 					"tiers",
 					"stagednetworkpolicies",
 					"tier.stagednetworkpolicies",
+					"stagedglobalnetworkpolicies",
+					"tier.stagedglobalnetworkpolicies",
 					"networkpolicies",
 					"tier.networkpolicies",
 					"globalnetworkpolicies",