From 8568a10b9a6111bde78b35a045d622720fbeb646 Mon Sep 17 00:00:00 2001
From: Spencer Hance <shance@google.com>
Date: Tue, 2 Jun 2020 17:55:42 -0700
Subject: [PATCH] Add rbac permissions for networking.gke.io/frontendconfigs

---
 docs/deploy/resources/rbac.yaml | 5 +++++
 hack/update-codegen.sh          | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/docs/deploy/resources/rbac.yaml b/docs/deploy/resources/rbac.yaml
index dec35cbb75..a10284628f 100644
--- a/docs/deploy/resources/rbac.yaml
+++ b/docs/deploy/resources/rbac.yaml
@@ -74,6 +74,11 @@ rules:
 - apiGroups: ["cloud.google.com"]
   resources: ["backendconfigs"]
   verbs: ["get", "list", "watch", "update", "create", "patch"]
+# GLBC ensures that the `networking.gke.io/frontendconfigs` CRD exists and reconciles the configuration
+# https://github.com/kubernetes/ingress-gce/blob/v1.9.4/cmd/glbc/main.go#L118
+- apiGroups: ["networking.gke.io"]
+  resources: ["frontendconfigs"]
+  verbs: ["get", "list", "watch", "update", "create", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh
index 1834ba7fe2..091429f12b 100755
--- a/hack/update-codegen.sh
+++ b/hack/update-codegen.sh
@@ -14,6 +14,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# **NOTE** When adding new CRDs. Make sure to include the new rbac permissions in docs/deploy/resources/rbac.yaml
+
 set -o errexit
 set -o nounset
 set -o pipefail