Merge pull request #326 from gthiemonge/fix-rbac-nodes

Add missing RBAC to get the list of nodes
openstack-k8s-operators · Jun 17, 2024 · 7e66f41 · 7e66f41
2 parents 2787761 + fbd1fdb
commit 7e66f41
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -5,6 +5,13 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
 - apiGroups:
   - ""
   resources:

diff --git a/controllers/amphoracontroller_controller.go b/controllers/amphoracontroller_controller.go
@@ -87,6 +87,7 @@ func (r *OctaviaAmphoraControllerReconciler) GetLogger(ctx context.Context) logr
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update
 // service account permissions that are needed to grant permission to the above
 // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch
+// +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list
 
 // Reconcile implementation of the reconcile loop for amphora
 // controllers like the octavia housekeeper, worker and health manager

diff --git a/controllers/octavia_controller.go b/controllers/octavia_controller.go
@@ -103,6 +103,7 @@ func (r *OctaviaReconciler) GetLogger(ctx context.Context) logr.Logger {
 // service account permissions that are needed to grant permission to the above
 // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid;privileged,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch
+// +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
@@ -720,7 +721,10 @@ func (r *OctaviaReconciler) reconcileNormal(ctx context.Context, instance *octav
 	// * do we want to provide a mechanism to temporarily disabling this list
 	// for maintenance windows where nodes might be "coming and going"
 
-	nodes, _ := helper.GetKClient().CoreV1().Nodes().List(ctx, metav1.ListOptions{})
+	nodes, err := helper.GetKClient().CoreV1().Nodes().List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return ctrl.Result{}, err
+	}
 	updatedMap := make(map[string]string)
 	allocatedIPs := make(map[string]bool)
 	var predictableIPsRequired []string