From 9ce34be2177277690c0fa838958dba3b9f0e6475 Mon Sep 17 00:00:00 2001 From: Sebastian Date: Fri, 18 Sep 2020 11:12:45 +0200 Subject: [PATCH] Added missing permissions for operator. (#6683) Related commit: https://github.com/cilium/cilium/commit/976337b750ac8110b128fa25105e2fcc91ccd223 --- .../cilium/templates/cilium-cr.yml.j2 | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 index 1fbf26235..8220d99f8 100644 --- a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 +++ b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 @@ -69,6 +69,25 @@ rules: - get - list - watch +{% if cilium_version | regex_replace('v') is version('1.8', '>=') %} + # For cilium-operator running in HA mode. + # + # Cilium operator running in HA mode requires the use of ResourceLock for Leader Election + # between mulitple running instances. + # The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less + # common and fewer objects in the cluster watch "all Leases". + # The support for leases was introduced in coordination.k8s.io/v1 during Kubernetes 1.14 release. + # In Cilium we currently don't support HA mode for K8s version < 1.14. This condition make sure + # that we only authorize access to leases resources in supported K8s versions. +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +{% endif %} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole