From fa6b4c5df0912adaeb9720084d2f75c449e3a21e Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Mon, 4 Nov 2024 12:32:55 +0100 Subject: [PATCH] Add jobsinks-addressable-resolver cluster role (#8298) This will ensure that alld ServiceAccount that are bound to "addressable-resolver" ClusterRole can read JobSinks. Fixes issues like this for SinkBindings: ``` {"level":"error","ts":"2024-11-04T08:06:16.160Z","logger":"eventing-webhook","caller":"sinkbinding/sinkbinding.go:87", "msg":"Failed to get Addressable from Destination: %!w(*fmt.wrapError=&{failed to get lister for sinks.knative.dev/v1alpha1, Resource=jobsinks: jobsinks.sinks.knative.dev is forbidden: User \"system:serviceaccount:knative-eventing:eventing-webhook\" cannot list resource \"jobsinks\" in API group \"sinks.knative.dev\" ``` --- .../roles/controller-clusterrole.yaml | 9 -------- .../addressable-resolvers-clusterrole.yaml | 22 +++++++++++++++++++ 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/config/channels/in-memory-channel/roles/controller-clusterrole.yaml b/config/channels/in-memory-channel/roles/controller-clusterrole.yaml index 58c58143968..6164e834f41 100644 --- a/config/channels/in-memory-channel/roles/controller-clusterrole.yaml +++ b/config/channels/in-memory-channel/roles/controller-clusterrole.yaml @@ -53,15 +53,6 @@ rules: - get - list - watch - - apiGroups: - - sinks.knative.dev - resources: - - jobsinks - - jobsinks/status - verbs: - - get - - list - - watch - apiGroups: - "" resources: diff --git a/config/core/roles/addressable-resolvers-clusterrole.yaml b/config/core/roles/addressable-resolvers-clusterrole.yaml index 7bd948c7149..1f2ece335ef 100644 --- a/config/core/roles/addressable-resolvers-clusterrole.yaml +++ b/config/core/roles/addressable-resolvers-clusterrole.yaml @@ -144,3 +144,25 @@ rules: - get - list - watch + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: jobsinks-addressable-resolver + labels: + duck.knative.dev/addressable: "true" + app.kubernetes.io/version: devel + app.kubernetes.io/name: knative-eventing +# Do not use this role directly. These rules will be added to the "addressable-resolver" role. +rules: +- apiGroups: + - sinks.knative.dev + resources: + - jobsinks + - jobsinks/status + verbs: + - get + - list + - watch