diff --git a/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java index 1eac16be796a0..ec91ba8b7f961 100644 --- a/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java +++ b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java @@ -104,6 +104,7 @@ public class KubernetesCommonHelper { private static final String[] PROMETHEUS_ANNOTATION_TARGETS = { "Service", "Deployment", "DeploymentConfig" }; private static final String DEFAULT_ROLE_NAME_VIEW = "view"; + private static final List LIST_WITH_EMPTY = List.of(""); public static Optional createProject(ApplicationInfoBuildItem app, Optional customProjectRoot, OutputTargetBuildItem outputTarget, @@ -1011,7 +1012,7 @@ private static List toPolicyRulesList(Map return policyRules.values() .stream() .map(it -> new PolicyRuleBuilder() - .withApiGroups(it.apiGroups.orElse(null)) + .withApiGroups(it.apiGroups.orElse(LIST_WITH_EMPTY)) .withNonResourceURLs(it.nonResourceUrls.orElse(null)) .withResourceNames(it.resourceNames.orElse(null)) .withResources(it.resources.orElse(null)) diff --git a/integration-tests/kubernetes/quarkus-standard-way/src/test/java/io/quarkus/it/kubernetes/KubernetesWithRbacFullTest.java b/integration-tests/kubernetes/quarkus-standard-way/src/test/java/io/quarkus/it/kubernetes/KubernetesWithRbacFullTest.java index 3ff3de62fb547..e93f96d605418 100644 --- a/integration-tests/kubernetes/quarkus-standard-way/src/test/java/io/quarkus/it/kubernetes/KubernetesWithRbacFullTest.java +++ b/integration-tests/kubernetes/quarkus-standard-way/src/test/java/io/quarkus/it/kubernetes/KubernetesWithRbacFullTest.java @@ -61,6 +61,7 @@ public void assertGeneratedResources() throws IOException { Role podWriterRole = getRoleByName(kubernetesList, "pod-writer"); assertEquals(APP_NAMESPACE, podWriterRole.getMetadata().getNamespace()); assertThat(podWriterRole.getRules()).satisfiesOnlyOnce(r -> { + assertThat(r.getApiGroups()).containsExactly(""); assertThat(r.getResources()).containsExactly("pods"); assertThat(r.getVerbs()).containsExactly("update"); }); @@ -69,6 +70,7 @@ public void assertGeneratedResources() throws IOException { Role podReaderRole = getRoleByName(kubernetesList, "pod-reader"); assertEquals("projectb", podReaderRole.getMetadata().getNamespace()); assertThat(podReaderRole.getRules()).satisfiesOnlyOnce(r -> { + assertThat(r.getApiGroups()).containsExactly(""); assertThat(r.getResources()).containsExactly("pods"); assertThat(r.getVerbs()).containsExactly("get", "watch", "list"); }); @@ -76,6 +78,7 @@ public void assertGeneratedResources() throws IOException { // secret-reader assertions ClusterRole secretReaderRole = getClusterRoleByName(kubernetesList, "secret-reader"); assertThat(secretReaderRole.getRules()).satisfiesOnlyOnce(r -> { + assertThat(r.getApiGroups()).containsExactly(""); assertThat(r.getResources()).containsExactly("secrets"); assertThat(r.getVerbs()).containsExactly("get", "watch", "list"); });