Add VolumeSnapshot related RBACs to provider service account for TKC/GC

vmware-tanzu · Mar 17, 2023 · 3ae2943 · 3ae2943
1 parent 20d147c
commit 3ae2943
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/addons/controllers/csi/vspherecsiconfig_controller.go b/addons/controllers/csi/vspherecsiconfig_controller.go
@@ -75,6 +75,11 @@ var providerServiceAccountRBACRules = []rbacv1.PolicyRule{
 		Resources: []string{"events"},
 		Verbs:     []string{"list"},
 	},
+	{
+		APIGroups: []string{""},
+		Resources: []string{"volumesnapshots"},
+		Verbs:     []string{"create", "delete", "get", "list", "patch"},
+	},
 }
 
 // VsphereCSIProviderServiceAccountAggregatedClusterRole is the cluster role to assign permissions to capv provider

diff --git a/addons/controllers/vspherecsiconfig_controller_test.go b/addons/controllers/vspherecsiconfig_controller_test.go
@@ -402,7 +402,7 @@ var _ = Describe("VSphereCSIConfig Reconciler", func() {
 				}
 				Expect(serviceAccount.Spec.Ref.Name).To(Equal(vsphereClusterName))
 				Expect(serviceAccount.Spec.Ref.Namespace).To(Equal(configKey.Namespace))
-				Expect(serviceAccount.Spec.Rules).To(HaveLen(6))
+				Expect(serviceAccount.Spec.Rules).To(HaveLen(7))
 				Expect(serviceAccount.Spec.TargetNamespace).To(Equal("vmware-system-csi"))
 				Expect(serviceAccount.Spec.TargetSecretName).To(Equal("pvcsi-provider-creds"))
 				return nil