From 170cb6b9cefe82b3691f4ec46ce6a507b7ae2a65 Mon Sep 17 00:00:00 2001 From: Akanksha Panse Date: Fri, 24 Mar 2023 11:13:11 +0530 Subject: [PATCH] Add VolumeSnapshot related RBACs to provider service account for TKC/GC (#4491) --- addons/controllers/csi/vspherecsiconfig_controller.go | 5 +++++ addons/controllers/vspherecsiconfig_controller_test.go | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/addons/controllers/csi/vspherecsiconfig_controller.go b/addons/controllers/csi/vspherecsiconfig_controller.go index 998162e17f..18a3a8de1e 100644 --- a/addons/controllers/csi/vspherecsiconfig_controller.go +++ b/addons/controllers/csi/vspherecsiconfig_controller.go @@ -75,6 +75,11 @@ var providerServiceAccountRBACRules = []rbacv1.PolicyRule{ Resources: []string{"events"}, Verbs: []string{"list"}, }, + { + APIGroups: []string{""}, + Resources: []string{"volumesnapshots"}, + Verbs: []string{"create", "delete", "get", "list", "patch"}, + }, } // VsphereCSIProviderServiceAccountAggregatedClusterRole is the cluster role to assign permissions to capv provider diff --git a/addons/controllers/vspherecsiconfig_controller_test.go b/addons/controllers/vspherecsiconfig_controller_test.go index ba5d448ed6..c48b5df3f8 100644 --- a/addons/controllers/vspherecsiconfig_controller_test.go +++ b/addons/controllers/vspherecsiconfig_controller_test.go @@ -402,7 +402,7 @@ var _ = Describe("VSphereCSIConfig Reconciler", func() { } Expect(serviceAccount.Spec.Ref.Name).To(Equal(vsphereClusterName)) Expect(serviceAccount.Spec.Ref.Namespace).To(Equal(configKey.Namespace)) - Expect(serviceAccount.Spec.Rules).To(HaveLen(6)) + Expect(serviceAccount.Spec.Rules).To(HaveLen(7)) Expect(serviceAccount.Spec.TargetNamespace).To(Equal("vmware-system-csi")) Expect(serviceAccount.Spec.TargetSecretName).To(Equal("pvcsi-provider-creds")) return nil @@ -421,7 +421,7 @@ var _ = Describe("VSphereCSIConfig Reconciler", func() { Expect(clusterRole.Labels).To(Equal(map[string]string{ constants.CAPVClusterRoleAggregationRuleLabelSelectorKey: constants.CAPVClusterRoleAggregationRuleLabelSelectorValue, })) - Expect(clusterRole.Rules).To(HaveLen(6)) + Expect(clusterRole.Rules).To(HaveLen(7)) return nil }, waitTimeout, pollingInterval).Should(Succeed()) })