epostnikof/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-02-28 09:39:12 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix calico etcd mode networkpolicy RBAC (#12344)

Browse Source
This commit is contained in:
Chad Swenson
2025-06-27 06:50:29 -05:00
committed by GitHub
parent 048967e3b0
commit ede92b0654
1 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
View File

@@ -6,19 +6,26 @@ metadata:
namespace: kube-system namespace: kube-system
rules: rules:
{% if calico_datastore == "etcd" %} {% if calico_datastore == "etcd" %}
- apiGroups: # Pods are monitored for changing labels.
- "" # The node controller monitors Kubernetes nodes.
- extensions # Namespace and serviceaccount labels are used for policy.
- apiGroups: [""]
resources: resources:
- pods - pods
- namespaces
- networkpolicies
- nodes - nodes
- namespaces
- serviceaccounts - serviceaccounts
verbs: verbs:
- watch - watch
- list - list
- get - get
# Watch for changes to Kubernetes NetworkPolicies.
- apiGroups: ["networking.k8s.io"]
resources:
- networkpolicies
verbs:
- watch
- list
{% elif calico_datastore == "kdd" %} {% elif calico_datastore == "kdd" %}
# Nodes are watched to monitor for deletions. # Nodes are watched to monitor for deletions.
- apiGroups: [""] - apiGroups: [""]