From 47140083dc35a93f800756523a60915e717a808a Mon Sep 17 00:00:00 2001
From: Chris Ricker <chris.ricker@gmail.com>
Date: Fri, 14 Nov 2025 03:23:38 -0500
Subject: [PATCH] Update Calico apiserver RBAC for Kubernetes 1.33+ (#12654)

Add missing RBAC permissions for Calico apiserver to function correctly
with Kubernetes 1.33+

Changes:

1. Add K8s 1.33 ValidatingAdmissionPolicy resources to calico-webhook-reader
   - validatingadmissionpolicies
   - validatingadmissionpolicybindings

Kubernetes 1.33 introduced ValidatingAdmissionPolicy resources (KEP-3488)
that require explicit RBAC permissions. Without these changes, Calico
apiserver on k8s 1.33+ will not work and needless errors are logged
---
 roles/network_plugin/calico/templates/calico-apiserver.yml.j2 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2 b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
index e49c2b2d0..06f476f02 100644
--- a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
@@ -235,6 +235,8 @@ rules:
   resources:
   - mutatingwebhookconfigurations
   - validatingwebhookconfigurations
+  - validatingadmissionpolicies        # Required for Kubernetes 1.33+
+  - validatingadmissionpolicybindings  # Required for Kubernetes 1.33+
   verbs:
   - get
   - list