From 5fb85dc8a58e9ce5bbb4e9a59466d64ead6a215e Mon Sep 17 00:00:00 2001
From: k8s-infra-cherrypick-robot
 <90416843+k8s-infra-cherrypick-robot@users.noreply.github.com>
Date: Fri, 2 Jan 2026 07:30:35 -0800
Subject: [PATCH] Add rbac for calico kube-controllers to access services
 (#12831)

Co-authored-by: Lawik974 <loic97429@gmail.com>
---
 .../calico/templates/calico-kube-cr.yml.j2             | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
index 12fe15dab..d71b48c8b 100644
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
@@ -26,6 +26,16 @@ rules:
     verbs:
       - watch
       - list
+  # Services are monitored for service LoadBalancer IP allocation
+  - apiGroups: [""]
+    resources:
+      - services
+      - services/status
+    verbs:
+      - get
+      - list
+      - update
+      - watch
 {% elif calico_datastore == "kdd" %}
   # Nodes are watched to monitor for deletions.
   - apiGroups: [""]