Added pod permissions in etcd-role (#372) (#379)

* Added pod permissions in etcd-role * Updated unit tests * Removed unneeded pod permissions
gardener · Jul 22, 2022 · 3ec4d7e · 3ec4d7e
1 parent b793f8e
commit 3ec4d7e
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/charts/etcd/templates/etcd-role.yaml b/charts/etcd/templates/etcd-role.yaml
@@ -36,4 +36,12 @@ rules:
   - list
   - patch
   - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
   - watch
diff --git a/controllers/etcd_controller_test.go b/controllers/etcd_controller_test.go
@@ -953,6 +953,19 @@ func validateRole(instance *druidv1alpha1.Etcd, role *rbac.Role) {
 					"watch":  Equal("watch"),
 				}),
 			}),
+			"": MatchFields(IgnoreExtras, Fields{
+				"APIGroups": MatchAllElements(stringArrayIterator, Elements{
+					"": Equal(""),
+				}),
+				"Resources": MatchAllElements(stringArrayIterator, Elements{
+					"pods": Equal("pods"),
+				}),
+				"Verbs": MatchAllElements(stringArrayIterator, Elements{
+					"list":  Equal("list"),
+					"get":   Equal("get"),
+					"watch": Equal("watch"),
+				}),
+			}),
 		}),
 	}))
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -36,4 +36,12 @@ rules: @@
       - list
       - patch
       - update
+      - watch
+    - apiGroups:
+      - ""
+      resources:
+      - pods
+      verbs:
+      - get
+      - list
       - watch