Merge pull request #3473 from LorcanMcVeigh/lorcan/add-deployments-fo…

…r-waf [RS-2023] Add back services RBAC permissions
tigera · Aug 27, 2024 · bef5d5c · bef5d5c
2 parents fa15ace + f906bf8
commit bef5d5c
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go
@@ -1533,12 +1533,17 @@ func (c *apiServerComponent) tigeraUserClusterRole() *rbacv1.ClusterRole {
 			Resources: []string{"applicationlayers", "packetcaptureapis", "compliances", "intrusiondetections"},
 			Verbs:     []string{"get"},
 		},
-		// Allow the user to read services to view WAF configuration.
 		{
 			APIGroups: []string{"apps"},
 			Resources: []string{"deployments"},
 			Verbs:     []string{"get", "list", "watch"},
 		},
+		// Allow the user to read services to view WAF configuration.
+		{
+			APIGroups: []string{""},
+			Resources: []string{"services"},
+			Verbs:     []string{"get", "list", "watch"},
+		},
 		// Allow the user to read felixconfigurations to detect if wireguard and/or other features are enabled.
 		{
 			APIGroups: []string{"projectcalico.org"},
@@ -1707,6 +1712,11 @@ func (c *apiServerComponent) tigeraNetworkAdminClusterRole() *rbacv1.ClusterRole
 			Resources: []string{"deployments"},
 			Verbs:     []string{"get", "list", "watch", "patch"},
 		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"services"},
+			Verbs:     []string{"get", "list", "watch", "patch"},
+		},
 		// Allow the user to read felixconfigurations to detect if wireguard and/or other features are enabled.
 		{
 			APIGroups: []string{"projectcalico.org"},

diff --git a/pkg/render/apiserver_test.go b/pkg/render/apiserver_test.go
@@ -1360,6 +1360,11 @@ var (
 			Resources: []string{"deployments"},
 			Verbs:     []string{"get", "list", "watch"},
 		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"services"},
+			Verbs:     []string{"get", "list", "watch"},
+		},
 		{
 			APIGroups: []string{"projectcalico.org"},
 			Resources: []string{"felixconfigurations"},
@@ -1488,6 +1493,11 @@ var (
 			Resources: []string{"deployments"},
 			Verbs:     []string{"get", "list", "watch", "patch"},
 		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"services"},
+			Verbs:     []string{"get", "list", "watch", "patch"},
+		},
 		{
 			APIGroups: []string{"projectcalico.org"},
 			Resources: []string{"felixconfigurations"},