Add VolumeSnapshot related RBACs to provider service account for TKC/…

…GC (#4491)
vmware-tanzu · Mar 27, 2023 · 170cb6b · 170cb6b
1 parent 62e13dc
commit 170cb6b
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/addons/controllers/csi/vspherecsiconfig_controller.go b/addons/controllers/csi/vspherecsiconfig_controller.go
@@ -75,6 +75,11 @@ var providerServiceAccountRBACRules = []rbacv1.PolicyRule{
 		Resources: []string{"events"},
 		Verbs:     []string{"list"},
 	},
+	{
+		APIGroups: []string{""},
+		Resources: []string{"volumesnapshots"},
+		Verbs:     []string{"create", "delete", "get", "list", "patch"},
+	},
 }
 
 // VsphereCSIProviderServiceAccountAggregatedClusterRole is the cluster role to assign permissions to capv provider

diff --git a/addons/controllers/vspherecsiconfig_controller_test.go b/addons/controllers/vspherecsiconfig_controller_test.go
@@ -402,7 +402,7 @@ var _ = Describe("VSphereCSIConfig Reconciler", func() {
 				}
 				Expect(serviceAccount.Spec.Ref.Name).To(Equal(vsphereClusterName))
 				Expect(serviceAccount.Spec.Ref.Namespace).To(Equal(configKey.Namespace))
-				Expect(serviceAccount.Spec.Rules).To(HaveLen(6))
+				Expect(serviceAccount.Spec.Rules).To(HaveLen(7))
 				Expect(serviceAccount.Spec.TargetNamespace).To(Equal("vmware-system-csi"))
 				Expect(serviceAccount.Spec.TargetSecretName).To(Equal("pvcsi-provider-creds"))
 				return nil
@@ -421,7 +421,7 @@ var _ = Describe("VSphereCSIConfig Reconciler", func() {
 				Expect(clusterRole.Labels).To(Equal(map[string]string{
 					constants.CAPVClusterRoleAggregationRuleLabelSelectorKey: constants.CAPVClusterRoleAggregationRuleLabelSelectorValue,
 				}))
-				Expect(clusterRole.Rules).To(HaveLen(6))
+				Expect(clusterRole.Rules).To(HaveLen(7))
 				return nil
 			}, waitTimeout, pollingInterval).Should(Succeed())
 		})