From 3ae29436903056c277c4facf9cfa5bfe7ac7af8f Mon Sep 17 00:00:00 2001 From: Akanksha Panse Date: Fri, 17 Mar 2023 17:04:53 +0530 Subject: [PATCH] Add VolumeSnapshot related RBACs to provider service account for TKC/GC --- addons/controllers/csi/vspherecsiconfig_controller.go | 5 +++++ addons/controllers/vspherecsiconfig_controller_test.go | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/addons/controllers/csi/vspherecsiconfig_controller.go b/addons/controllers/csi/vspherecsiconfig_controller.go index 998162e17fa..18a3a8de1e8 100644 --- a/addons/controllers/csi/vspherecsiconfig_controller.go +++ b/addons/controllers/csi/vspherecsiconfig_controller.go @@ -75,6 +75,11 @@ var providerServiceAccountRBACRules = []rbacv1.PolicyRule{ Resources: []string{"events"}, Verbs: []string{"list"}, }, + { + APIGroups: []string{""}, + Resources: []string{"volumesnapshots"}, + Verbs: []string{"create", "delete", "get", "list", "patch"}, + }, } // VsphereCSIProviderServiceAccountAggregatedClusterRole is the cluster role to assign permissions to capv provider diff --git a/addons/controllers/vspherecsiconfig_controller_test.go b/addons/controllers/vspherecsiconfig_controller_test.go index ba5d448ed68..e5a4818b351 100644 --- a/addons/controllers/vspherecsiconfig_controller_test.go +++ b/addons/controllers/vspherecsiconfig_controller_test.go @@ -402,7 +402,7 @@ var _ = Describe("VSphereCSIConfig Reconciler", func() { } Expect(serviceAccount.Spec.Ref.Name).To(Equal(vsphereClusterName)) Expect(serviceAccount.Spec.Ref.Namespace).To(Equal(configKey.Namespace)) - Expect(serviceAccount.Spec.Rules).To(HaveLen(6)) + Expect(serviceAccount.Spec.Rules).To(HaveLen(7)) Expect(serviceAccount.Spec.TargetNamespace).To(Equal("vmware-system-csi")) Expect(serviceAccount.Spec.TargetSecretName).To(Equal("pvcsi-provider-creds")) return nil