Skip to content

Fix RBAC: grant core API group events permission for leader election event recorder#1080

Open
ChristianZaccaria wants to merge 1 commit into
kubernetes-sigs:mainfrom
ChristianZaccaria:pr-1
Open

Fix RBAC: grant core API group events permission for leader election event recorder#1080
ChristianZaccaria wants to merge 1 commit into
kubernetes-sigs:mainfrom
ChristianZaccaria:pr-1

Conversation

@ChristianZaccaria

@ChristianZaccaria ChristianZaccaria commented Jul 2, 2026

Copy link
Copy Markdown

Summary

  • Adds missing RBAC permission for core API group ("") events, fixing the events is forbidden error emitted by the leader election event recorder.
  • The existing events.k8s.io marker is retained; controller-gen merges both groups into a single rule.

Fixes #1079

Root Cause

The kubebuilder marker only declared events.k8s.io, but controller-runtime's leader election uses the legacy v1.Event (core API group "") to announce leadership transitions. The generated ClusterRole was therefore missing the needed permission.

Changes

  • controllers/sandbox_controller.go: Added //+kubebuilder:rbac:groups=core,resources=events,verbs=create;patch
  • k8s/rbac.generated.yaml, helm/templates/rbac.generated.yaml: Regenerated via make fix-go-generate

Test Plan

  • make build passes
  • go test -race ./controllers/... passes
  • make fix-go-generate produces the expected merged rule
  • Deploy to a kind cluster and verify no events is forbidden error in controller logs

/kind bug

Summary by CodeRabbit

  • Bug Fixes
    • Updated permissions so the sandbox controller can create and update Kubernetes events reliably.
    • Adjusted generated access rules to keep event handling consistent across deployment manifests.
@github-project-automation github-project-automation Bot moved this to Backlog in Agent Sandbox Jul 2, 2026
@kubernetes-prow kubernetes-prow Bot added the kind/bug Categorizes issue or PR as related to a bug. label Jul 2, 2026
@kubernetes-prow

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ChristianZaccaria
Once this PR has been reviewed and has the lgtm label, please assign justinsb for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubernetes-prow kubernetes-prow Bot requested review from justinsb and soltysh July 2, 2026 14:44
@netlify

netlify Bot commented Jul 2, 2026

Copy link
Copy Markdown

Deploy Preview for agent-sandbox canceled.

Name Link
🔨 Latest commit 9637c05
🔍 Latest deploy log https://app.netlify.com/projects/agent-sandbox/deploys/6a46793319acac00081339aa
@kubernetes-prow

Copy link
Copy Markdown

Welcome @ChristianZaccaria!

It looks like this is your first PR to kubernetes-sigs/agent-sandbox 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/agent-sandbox has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@kubernetes-prow kubernetes-prow Bot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 2, 2026
@kubernetes-prow

Copy link
Copy Markdown

Hi @ChristianZaccaria. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kubernetes-prow kubernetes-prow Bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jul 2, 2026
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 96c65beb-5b83-481e-8aea-66707bcbe3b0

📥 Commits

Reviewing files that changed from the base of the PR and between 0be472b and 9637c05.

📒 Files selected for processing (3)
  • controllers/sandbox_controller.go
  • helm/templates/rbac.generated.yaml
  • k8s/rbac.generated.yaml

📝 Walkthrough

Walkthrough

This PR adds a Kubebuilder RBAC annotation granting the controller create;patch permissions on core API group events resources, fixing a leader election event recording error. The generated Helm and k8s ClusterRole manifests are regenerated to reflect the relocated events.k8s.io rule.

Changes

RBAC Fix for Core Events Permission

Layer / File(s) Summary
Controller RBAC marker
controllers/sandbox_controller.go
Adds a Kubebuilder RBAC annotation granting create;patch on core group events resources, fixing leader election event recorder permission errors.
Regenerated ClusterRole manifests
helm/templates/rbac.generated.yaml, k8s/rbac.generated.yaml
Updates generated ClusterRole rule ordering, adding/relocating an events.k8s.io rule granting create and patch on events.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Suggested reviewers: barney-s, justinsb, igooch

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the core RBAC fix for leader election event permissions.
Description check ✅ Passed The description includes the problem, root cause, changes, issue link, and test plan; only template formatting differs.
Linked Issues check ✅ Passed The changes satisfy #1079 by adding core events RBAC and regenerating the manifests while retaining events.k8s.io.
Out of Scope Changes check ✅ Passed The PR only updates RBAC annotations and generated manifests, with no unrelated changes visible.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes the controller’s ClusterRole RBAC for leader-election event recording by granting permissions to create/patch events in the core API group (""), which controller-runtime uses for its legacy v1.Event leader-election notifications.

Changes:

  • Add a kubebuilder RBAC marker for core-group events (groups=core,resources=events,verbs=create;patch) alongside the existing events.k8s.io marker.
  • Regenerate the RBAC manifests so the resulting ClusterRole rule includes both "" and events.k8s.io API groups for events.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
controllers/sandbox_controller.go Adds the missing kubebuilder RBAC marker for core-group events permissions needed by leader-election event recorder.
k8s/rbac.generated.yaml Regenerated ClusterRole rules now include a merged events rule covering both "" and events.k8s.io.
helm/templates/rbac.generated.yaml Mirrors the regenerated RBAC rule update for Helm installs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. ready-for-review size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

3 participants