From e2f4d3a5636a1f5980c7261c2dc4f2ea7e977843 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Wed, 13 Dec 2023 11:10:25 +0100 Subject: [PATCH] fix(kong): add RBAC rules for listing namespaces when gateway API is detected (#974) * fix(kong): add RBAC rules for listing namespaces when gateway API is detected * kong: add watch permissions to ClusterRole --- charts/kong/CHANGELOG.md | 8 ++++++++ charts/kong/templates/_helpers.tpl | 9 ++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md index f4f5c5395..2a6479138 100644 --- a/charts/kong/CHANGELOG.md +++ b/charts/kong/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## Unreleased + +### Fixed + +* Add RBAC rules for get, list and watch operations on namespaces so that Gateway API + controllers in KIC can access using a cached controller-runtime client. + [#974](https://github.com/Kong/charts/pull/974) + ## 2.33.2 * Fix a template bug related to the `affinity` field for migrations Pods. diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl index c097636b1..395ed2e80 100644 --- a/charts/kong/templates/_helpers.tpl +++ b/charts/kong/templates/_helpers.tpl @@ -1255,7 +1255,6 @@ Kubernetes namespace-scoped resources it uses to build Kong configuration. Collectively, these are built from: kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac?ref=main -kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac/knative?ref=main kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac/gateway?ref=main However, there is no way to generate the split between cluster and namespaced @@ -1675,6 +1674,14 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration. verbs: - get - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch {{- end }} - apiGroups: - networking.k8s.io