From c42657bb747566a0efc75d6cbd39a8dcdab4272e Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Fri, 19 Jun 2020 14:59:59 -0700 Subject: [PATCH] Add the missing RBAC for leaderelection The components need to be able to create leases. When we update knative.dev/pkg (not in this change) the webhook will need to be able to read config-leader-election as well. --- config/200-clusterrole.yaml | 13 +++++++++++ config/200-role.yaml | 2 +- config/201-clusterrolebinding.yaml | 35 ++++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml index d46ab8022c9..30c86613cfd 100644 --- a/config/200-clusterrole.yaml +++ b/config/200-clusterrole.yaml @@ -106,3 +106,16 @@ rules: resources: ["podsecuritypolicies"] resourceNames: ["tekton-pipelines"] verbs: ["use"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-pipelines-leader-election + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +rules: + # We uses leases for leaderelection + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] diff --git a/config/200-role.yaml b/config/200-role.yaml index d91c3c01311..10682ab046c 100644 --- a/config/200-role.yaml +++ b/config/200-role.yaml @@ -48,7 +48,7 @@ rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get"] - resourceNames: ["config-logging", "config-observability"] + resourceNames: ["config-logging", "config-observability", "config-leader-election"] - apiGroups: [""] resources: ["secrets"] verbs: ["list", "watch"] diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml index f0b915c1e18..cc212710602 100644 --- a/config/201-clusterrolebinding.yaml +++ b/config/201-clusterrolebinding.yaml @@ -29,6 +29,23 @@ roleRef: name: tekton-pipelines-controller-cluster-access apiGroup: rbac.authorization.k8s.io --- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-controller-leaderelection + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-pipelines-controller + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelines-leader-election + apiGroup: rbac.authorization.k8s.io +--- # If this ClusterRoleBinding is replaced with a RoleBinding # then the ClusterRole would be namespaced. The access described by # the tekton-pipelines-controller-tenant-access ClusterRole would @@ -66,3 +83,21 @@ roleRef: kind: ClusterRole name: tekton-pipelines-webhook-cluster-access apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: tekton-pipelines-webhook-leaderelection + labels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-pipelines +subjects: + - kind: ServiceAccount + name: tekton-pipelines-webhook + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-pipelines-leader-election + apiGroup: rbac.authorization.k8s.io +