From 68797a10328a5646700f7dafc76e8912d71061f1 Mon Sep 17 00:00:00 2001
From: zhangzujian <zhangzujian.7@gmail.com>
Date: Fri, 19 Jul 2024 09:39:58 +0000
Subject: [PATCH] metrics: fix missing rbac for sa ovn (#4312)

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>
---
 charts/kube-ovn/templates/ovn-CR.yaml  | 13 ++++++++++++-
 charts/kube-ovn/templates/ovn-CRB.yaml | 15 ++++++++++++++-
 dist/images/install.sh                 | 26 ++++++++++++++++++++++++++
 3 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/charts/kube-ovn/templates/ovn-CR.yaml b/charts/kube-ovn/templates/ovn-CR.yaml
index dabf3cb387f..9086b42cd96 100644
--- a/charts/kube-ovn/templates/ovn-CR.yaml
+++ b/charts/kube-ovn/templates/ovn-CR.yaml
@@ -154,7 +154,18 @@ rules:
     verbs:
       - get
       - list
-
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
diff --git a/charts/kube-ovn/templates/ovn-CRB.yaml b/charts/kube-ovn/templates/ovn-CRB.yaml
index 72a035d96d3..87ca13d564c 100644
--- a/charts/kube-ovn/templates/ovn-CRB.yaml
+++ b/charts/kube-ovn/templates/ovn-CRB.yaml
@@ -10,7 +10,20 @@ subjects:
   - kind: ServiceAccount
     name: ovn
     namespace: kube-system
-
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ovn
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - kind: ServiceAccount
+    name: ovn
+    namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/dist/images/install.sh b/dist/images/install.sh
index 2d79a853129..4b834d56506 100755
--- a/dist/images/install.sh
+++ b/dist/images/install.sh
@@ -3029,6 +3029,18 @@ rules:
     verbs:
       - get
       - list
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -3042,6 +3054,20 @@ subjects:
   - kind: ServiceAccount
     name: ovn
     namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ovn
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - kind: ServiceAccount
+    name: ovn
+    namespace: kube-system
 EOF
 
 cat <<EOF > kube-ovn-cni-sa.yaml