From bf14487e8a34481b108cbe9d79491362d1190ba2 Mon Sep 17 00:00:00 2001 From: Markus Lehtonen Date: Thu, 9 Mar 2023 16:15:03 +0200 Subject: [PATCH 1/2] helm: fix topology-updater rbac clusterrole Access to nodes/proxy resource was accidentally given to nfd-master (which really doesn't need it), not topology-updater. --- .../templates/clusterrole.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/deployment/helm/node-feature-discovery/templates/clusterrole.yaml b/deployment/helm/node-feature-discovery/templates/clusterrole.yaml index 3dd6f6f3b6..135bc154af 100644 --- a/deployment/helm/node-feature-discovery/templates/clusterrole.yaml +++ b/deployment/helm/node-feature-discovery/templates/clusterrole.yaml @@ -18,12 +18,6 @@ rules: - patch - update - list -- apiGroups: - - "" - resources: - - nodes/proxy - verbs: - - get - apiGroups: - nfd.k8s-sigs.io resources: @@ -51,6 +45,12 @@ rules: verbs: - get - list +- apiGroups: + - "" + resources: + - nodes/proxy + verbs: + - get - apiGroups: - "" resources: From 12c2b897ec6133f4f40336b09ff166e747c38722 Mon Sep 17 00:00:00 2001 From: Markus Lehtonen Date: Thu, 9 Mar 2023 16:16:09 +0200 Subject: [PATCH 2/2] helm: create topology-updater RBAC rules by default Create RBAC rules if topology-updater is enabled. Previously installing with topologyUpdater.enable=true (without topologyUpdater.rbac.create=true) resulted in a crashloogbackoff as RBAC was missing. --- .../helm/node-feature-discovery/templates/clusterrole.yaml | 2 +- deployment/helm/node-feature-discovery/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/helm/node-feature-discovery/templates/clusterrole.yaml b/deployment/helm/node-feature-discovery/templates/clusterrole.yaml index 135bc154af..2699dfe5dd 100644 --- a/deployment/helm/node-feature-discovery/templates/clusterrole.yaml +++ b/deployment/helm/node-feature-discovery/templates/clusterrole.yaml @@ -30,7 +30,7 @@ rules: {{- end }} --- -{{- if .Values.topologyUpdater.rbac.create }} +{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/deployment/helm/node-feature-discovery/values.yaml b/deployment/helm/node-feature-discovery/values.yaml index a5beb620d3..c08254422b 100644 --- a/deployment/helm/node-feature-discovery/values.yaml +++ b/deployment/helm/node-feature-discovery/values.yaml @@ -390,7 +390,7 @@ topologyUpdater: annotations: {} name: rbac: - create: false + create: true kubeletConfigPath: kubeletPodResourcesSockPath: