Update Calico apiserver RBAC for Kubernetes 1.33+ (#12654)

Add missing RBAC permissions for Calico apiserver to function correctly with Kubernetes 1.33+ Changes: 1. Add K8s 1.33 ValidatingAdmissionPolicy resources to calico-webhook-reader - validatingadmissionpolicies - validatingadmissionpolicybindings Kubernetes 1.33 introduced ValidatingAdmissionPolicy resources (KEP-3488) that require explicit RBAC permissions. Without these changes, Calico apiserver on k8s 1.33+ will not work and needless errors are logged
2025-12-13 21:34:40 +03:00 · 2025-11-14 03:23:38 -05:00
parent 2d179879a0
commit 47140083dc
1 changed files with 2 additions and 0 deletions
--- a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
@@ -235,6 +235,8 @@ rules:
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
+  - validatingadmissionpolicies        # Required for Kubernetes 1.33+
+  - validatingadmissionpolicybindings  # Required for Kubernetes 1.33+
  verbs:
  - get
  - list