From dcb21dfb148f47b5dfd39bd136398e04c4c21935 Mon Sep 17 00:00:00 2001
From: Jiawei Huang <jiawei@tigera.io>
Date: Fri, 30 Aug 2024 10:55:44 -0700
Subject: [PATCH] Add hostendpoints get and list to tigera ui and admin users
 (#3484)

This changeset adds `hostendpoints` get and list rbac for the built-in
`tigera-ui-user` and `tigera-network-admin` users.
---
 pkg/render/apiserver.go      | 12 ++++++++++++
 pkg/render/apiserver_test.go | 10 ++++++++++
 2 files changed, 22 insertions(+)

diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go
index 9b68dc8d7f..320e1bf77e 100644
--- a/pkg/render/apiserver.go
+++ b/pkg/render/apiserver.go
@@ -1485,6 +1485,12 @@ func (c *apiServerComponent) tigeraUserClusterRole() *rbacv1.ClusterRole {
 			Resources: []string{"clusterinformations"},
 			Verbs:     []string{"get", "list"},
 		},
+		// Access to hostendpoints from the UI ServiceGraph.
+		{
+			APIGroups: []string{"projectcalico.org"},
+			Resources: []string{"hostendpoints"},
+			Verbs:     []string{"get", "list"},
+		},
 		// List and view the threat defense configuration
 		{
 			APIGroups: []string{"projectcalico.org"},
@@ -1664,6 +1670,12 @@ func (c *apiServerComponent) tigeraNetworkAdminClusterRole() *rbacv1.ClusterRole
 			Resources: []string{"clusterinformations"},
 			Verbs:     []string{"get", "list"},
 		},
+		// Access to hostendpoints from the UI ServiceGraph.
+		{
+			APIGroups: []string{"projectcalico.org"},
+			Resources: []string{"hostendpoints"},
+			Verbs:     []string{"get", "list"},
+		},
 		// Manage the threat defense configuration
 		{
 			APIGroups: []string{"projectcalico.org"},
diff --git a/pkg/render/apiserver_test.go b/pkg/render/apiserver_test.go
index d89198f90e..333acbc499 100644
--- a/pkg/render/apiserver_test.go
+++ b/pkg/render/apiserver_test.go
@@ -1306,6 +1306,11 @@ var (
 			Resources: []string{"clusterinformations"},
 			Verbs:     []string{"get", "list"},
 		},
+		{
+			APIGroups: []string{"projectcalico.org"},
+			Resources: []string{"hostendpoints"},
+			Verbs:     []string{"get", "list"},
+		},
 		{
 			APIGroups: []string{"projectcalico.org"},
 			Resources: []string{
@@ -1445,6 +1450,11 @@ var (
 			Resources: []string{"clusterinformations"},
 			Verbs:     []string{"get", "list"},
 		},
+		{
+			APIGroups: []string{"projectcalico.org"},
+			Resources: []string{"hostendpoints"},
+			Verbs:     []string{"get", "list"},
+		},
 		{
 			APIGroups: []string{"projectcalico.org"},
 			Resources: []string{