From 52b1fc4b5ddcac1216cd218010b2aa2238d8c307 Mon Sep 17 00:00:00 2001
From: Jian Qiu <jqiu@redhat.com>
Date: Thu, 22 Jul 2021 14:11:41 +0800
Subject: [PATCH] Fix webhook rbac

Add rules for apiserver fairness

Signed-off-by: Jian Qiu <jqiu@redhat.com>
---
 .../cluster-manager-registration-webhook-clusterrole.yaml | 4 ++++
 .../cluster-manager-work-webhook-clusterrole.yaml         | 4 ++++
 pkg/operators/clustermanager/bindata/bindata.go           | 8 ++++++++
 3 files changed, 16 insertions(+)

diff --git a/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrole.yaml b/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrole.yaml
index 9199e5a7b..dd6b4c38a 100644
--- a/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrole.yaml
+++ b/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrole.yaml
@@ -11,3 +11,7 @@ rules:
 - apiGroups: ["authorization.k8s.io"]
   resources: ["subjectaccessreviews"]
   verbs: ["create"]
+# API priority and fairness
+- apiGroups: ["flowcontrol.apiserver.k8s.io"]
+  resources: ["prioritylevelconfigurations", "flowschemas"]
+  verbs: ["get", "list", "watch"]
diff --git a/manifests/cluster-manager/cluster-manager-work-webhook-clusterrole.yaml b/manifests/cluster-manager/cluster-manager-work-webhook-clusterrole.yaml
index fdd9c3414..1dbba6658 100644
--- a/manifests/cluster-manager/cluster-manager-work-webhook-clusterrole.yaml
+++ b/manifests/cluster-manager/cluster-manager-work-webhook-clusterrole.yaml
@@ -11,3 +11,7 @@ rules:
 - apiGroups: ["authorization.k8s.io"]
   resources: ["subjectaccessreviews"]
   verbs: ["create"]
+# API priority and fairness
+- apiGroups: ["flowcontrol.apiserver.k8s.io"]
+  resources: ["prioritylevelconfigurations", "flowschemas"]
+  verbs: ["get", "list", "watch"]
diff --git a/pkg/operators/clustermanager/bindata/bindata.go b/pkg/operators/clustermanager/bindata/bindata.go
index 7002e423e..c95d375d6 100644
--- a/pkg/operators/clustermanager/bindata/bindata.go
+++ b/pkg/operators/clustermanager/bindata/bindata.go
@@ -2105,6 +2105,10 @@ rules:
 - apiGroups: ["authorization.k8s.io"]
   resources: ["subjectaccessreviews"]
   verbs: ["create"]
+# API priority and fairness
+- apiGroups: ["flowcontrol.apiserver.k8s.io"]
+  resources: ["prioritylevelconfigurations", "flowschemas"]
+  verbs: ["get", "list", "watch"]
 `)
 
 func manifestsClusterManagerClusterManagerRegistrationWebhookClusterroleYamlBytes() ([]byte, error) {
@@ -2471,6 +2475,10 @@ rules:
 - apiGroups: ["authorization.k8s.io"]
   resources: ["subjectaccessreviews"]
   verbs: ["create"]
+# API priority and fairness
+- apiGroups: ["flowcontrol.apiserver.k8s.io"]
+  resources: ["prioritylevelconfigurations", "flowschemas"]
+  verbs: ["get", "list", "watch"]
 `)
 
 func manifestsClusterManagerClusterManagerWorkWebhookClusterroleYamlBytes() ([]byte, error) {