Fix RBAC: grant core API group events permission for leader election event recorder#1080
Fix RBAC: grant core API group events permission for leader election event recorder#1080ChristianZaccaria wants to merge 1 commit into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ChristianZaccaria The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
✅ Deploy Preview for agent-sandbox canceled.
|
|
Welcome @ChristianZaccaria! |
|
Hi @ChristianZaccaria. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Tip We noticed you've done this a few times! Consider joining the org to skip this step and gain Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThis PR adds a Kubebuilder RBAC annotation granting the controller ChangesRBAC Fix for Core Events Permission
Estimated code review effort: 1 (Trivial) | ~5 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR fixes the controller’s ClusterRole RBAC for leader-election event recording by granting permissions to create/patch events in the core API group (""), which controller-runtime uses for its legacy v1.Event leader-election notifications.
Changes:
- Add a kubebuilder RBAC marker for core-group
events(groups=core,resources=events,verbs=create;patch) alongside the existingevents.k8s.iomarker. - Regenerate the RBAC manifests so the resulting ClusterRole rule includes both
""andevents.k8s.ioAPI groups forevents.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| controllers/sandbox_controller.go | Adds the missing kubebuilder RBAC marker for core-group events permissions needed by leader-election event recorder. |
| k8s/rbac.generated.yaml | Regenerated ClusterRole rules now include a merged events rule covering both "" and events.k8s.io. |
| helm/templates/rbac.generated.yaml | Mirrors the regenerated RBAC rule update for Helm installs. |
Summary
"") events, fixing theevents is forbiddenerror emitted by the leader election event recorder.events.k8s.iomarker is retained;controller-genmerges both groups into a single rule.Fixes #1079
Root Cause
The kubebuilder marker only declared
events.k8s.io, but controller-runtime's leader election uses the legacyv1.Event(core API group"") to announce leadership transitions. The generated ClusterRole was therefore missing the needed permission.Changes
controllers/sandbox_controller.go: Added//+kubebuilder:rbac:groups=core,resources=events,verbs=create;patchk8s/rbac.generated.yaml,helm/templates/rbac.generated.yaml: Regenerated viamake fix-go-generateTest Plan
make buildpassesgo test -race ./controllers/...passesmake fix-go-generateproduces the expected merged ruleevents is forbiddenerror in controller logs/kind bug
Summary by CodeRabbit