Merge branch 'master' into issue-638

# Conflicts: # docs/CHANGELOG.md
VictoriaMetrics · Sep 27, 2023 · b89ad9d · b89ad9d
2 parents ffef1ac + 958ce2b
commit b89ad9d
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 6 deletions.
diff --git a/config/examples/operator_rbac_for_single_namespace.yaml b/config/examples/operator_rbac_for_single_namespace.yaml
@@ -23,11 +23,18 @@ metadata:
   name: vm-operator-single-ns-only
   namespace: default
 rules:
+  - apiGroups:
+      - "discovery.k8s.io"
+    resources:
+      - endpointslices
+    verbs:
+      - 'list'
+      - 'watch'
+      - 'get'
   - apiGroups:
       - ""
     resources:
       - endpoints
-      - endpointslices
     verbs:
       - 'list'
       - 'watch'

diff --git a/config/examples/vmagent_rbac.yaml b/config/examples/vmagent_rbac.yaml
@@ -9,7 +9,7 @@ kind: ClusterRole
 metadata:
   name: vmagent
 rules:
-  - apiGroups: ["","networking.k8s.io","extensions"]
+  - apiGroups: ["","networking.k8s.io","extensions","discovery.k8s.io"]
     resources:
       - nodes
       - nodes/metrics

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -277,6 +277,14 @@ rules:
     - get
     - patch
     - update
+- apiGroups:
+    - "discovery.k8s.io"
+  resources:
+    - endpointslices
+  verbs:
+    - 'list'
+    - 'watch'
+    - 'get'
 - apiGroups:
     - ""
   resources:
@@ -286,7 +294,6 @@ rules:
     - services
     - endpoints
     - pods
-    - endpointslices
     - configmaps
   verbs:
     - get

diff --git a/controllers/factory/vmagent/rbac.go b/controllers/factory/vmagent/rbac.go
@@ -15,6 +15,17 @@ import (
 
 var (
 	singleNSPolicyRules = []rbacV1.PolicyRule{
+		{
+			APIGroups: []string{"discovery.k8s.io"},
+			Verbs: []string{
+				"get",
+				"list",
+				"watch",
+			},
+			Resources: []string{
+				"endpointslices",
+			},
+		},
 		{
 			APIGroups: []string{""},
 			Verbs: []string{
@@ -26,7 +37,6 @@ var (
 				"services",
 				"endpoints",
 				"pods",
-				"endpointslices",
 				"secrets",
 				"configmaps",
 			},
@@ -44,6 +54,17 @@ var (
 		},
 	}
 	clusterWidePolicyRules = []rbacV1.PolicyRule{
+		{
+			APIGroups: []string{"discovery.k8s.io"},
+			Verbs: []string{
+				"get",
+				"list",
+				"watch",
+			},
+			Resources: []string{
+				"endpointslices",
+			},
+		},
 		{
 			APIGroups: []string{""},
 			Verbs: []string{
@@ -58,7 +79,6 @@ var (
 				"services",
 				"endpoints",
 				"pods",
-				"endpointslices",
 				"configmaps",
 				"namespaces",
 				"secrets",

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -16,6 +16,7 @@ title: CHANGELOG
 
 - [vmcluster](./api.html#vmcluster): remove redundant annotation `operator.victoriametrics/last-applied-spec` from created workloads like vmstorage statefulset.
 - [vmoperator](./README.md): properly resize statefulset's multiple pvc when needed and allowable, before they could be updated with wrong size.
+- [vmoperator](./README.md): fix wrong api group of endpointsices, before vmagent won't able to access endpointsices resources with default rbac rule.
 
 <a name="v0.38.0"></a>
 ## [v0.38.0](https://github.com/VictoriaMetrics/operator/releases/tag/v0.38.0) - 11 Sep 2023

diff --git a/hack/bundle_csv_vmagent.yaml b/hack/bundle_csv_vmagent.yaml
@@ -3,7 +3,7 @@ spec:
     spec:
       clusterPermissions:
         - rules:
-            - apiGroups: [ "","networking.k8s.io","extensions" ]
+            - apiGroups: [ "","networking.k8s.io","extensions","discovery.k8s.io" ]
               resources:
                 - nodes
                 - nodes/metrics