Align rbac with upstream

Signed-off-by: Mikkel Oscar Lyderik Larsen <[email protected]>
zalando-incubator · Mar 26, 2024 · 00fdf4d · 00fdf4d
1 parent a86efa6
commit 00fdf4d
Showing 1 changed file with 43 additions and 19 deletions.
diff --git a/cluster/manifests/01-vertical-pod-autoscaler/rbac.yaml b/cluster/manifests/01-vertical-pod-autoscaler/rbac.yaml
@@ -42,8 +42,6 @@ rules:
       - list
       - watch
       - create
-      - update
-      - patch
   - apiGroups:
       - "poc.autoscaling.k8s.io"
     resources:
@@ -52,7 +50,6 @@ rules:
       - get
       - list
       - watch
-      - patch
   - apiGroups:
       - "autoscaling.k8s.io"
     resources:
@@ -61,6 +58,18 @@ rules:
       - get
       - list
       - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:vpa-status-actor
+rules:
+  - apiGroups:
+      - "autoscaling.k8s.io"
+    resources:
+      - verticalpodautoscalers/status
+    verbs:
+      - get
       - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -110,17 +119,12 @@ metadata:
     component: vpa
 rules:
   - apiGroups:
+      - "apps"
       - "extensions"
     resources:
       - replicasets
     verbs:
       - get
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-    verbs:
-      - delete
   - apiGroups:
       - ""
     resources:
@@ -165,6 +169,19 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
+metadata:
+  name: system:vpa-status-actor
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:vpa-status-actor
+subjects:
+  - kind: ServiceAccount
+    name: vpa-recommender
+    namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   name: system:vpa-checkpoint-actor
   labels:
@@ -187,6 +204,13 @@ metadata:
     application: kubernetes
     component: vpa
 rules:
+  - apiGroups:
+    - '*'
+    resources:
+    - '*/scale'
+    verbs:
+    - get
+    - watch
   - apiGroups:
       - ""
     resources:
@@ -241,7 +265,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:vpa-evictionter-binding
+  name: system:vpa-evictioner-binding
   labels:
     application: kubernetes
     component: vpa
@@ -257,29 +281,29 @@ subjects:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: vpa-recommender
+  name: vpa-admission-controller
   namespace: kube-system
   labels:
     application: kubernetes
-    component: vpa-recommender
+    component: vpa-admission-controller
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: vpa-updater
+  name: vpa-recommender
   namespace: kube-system
   labels:
     application: kubernetes
-    component: vpa-updater
+    component: vpa-recommender
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: vpa-admission-controller
+  name: vpa-updater
   namespace: kube-system
   labels:
     application: kubernetes
-    component: vpa-admission-controller
+    component: vpa-updater
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -375,6 +399,6 @@ roleRef:
   kind: ClusterRole
   name: system:vpa-status-reader
 subjects:
-- kind: ServiceAccount
-  name: vpa-updater
-  namespace: kube-system
+  - kind: ServiceAccount
+    name: vpa-updater
+    namespace: kube-system