From 5ffe3b8a8bfb68e9e4a1588a7bf2e1b3397ed824 Mon Sep 17 00:00:00 2001 From: Qing Hao Date: Tue, 5 Jul 2022 14:44:35 +0800 Subject: [PATCH] leader election needs to operate configmaps and leases (#260) Signed-off-by: haoqing0110 --- .../management/klusterlet-registration-role.yaml | 9 ++++++++- .../klusterlet/management/klusterlet-work-role.yaml | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/manifests/klusterlet/management/klusterlet-registration-role.yaml b/manifests/klusterlet/management/klusterlet-registration-role.yaml index ea20cc31e..f9da097ca 100644 --- a/manifests/klusterlet/management/klusterlet-registration-role.yaml +++ b/manifests/klusterlet/management/klusterlet-registration-role.yaml @@ -6,7 +6,14 @@ metadata: name: open-cluster-management:management:{{ .KlusterletName }}-registration:agent namespace: {{ .AgentNamespace }} rules: -# leader election needs to operate configmaps, create hub-kubeconfig external-managed-registration/work secrets +# leader election needs to operate configmaps and leases +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "list", "update", "watch", "patch"] +# create hub-kubeconfig external-managed-registration/work secrets # TODO(zhujian7): may be replaced by a clusterrole to grant secret operation for others namespaces when addon # agents are supported running on the management cluster - apiGroups: [""] diff --git a/manifests/klusterlet/management/klusterlet-work-role.yaml b/manifests/klusterlet/management/klusterlet-work-role.yaml index 7be545521..7ec0bbddb 100644 --- a/manifests/klusterlet/management/klusterlet-work-role.yaml +++ b/manifests/klusterlet/management/klusterlet-work-role.yaml @@ -6,7 +6,7 @@ metadata: name: open-cluster-management:management:{{ .KlusterletName }}-work:agent namespace: {{ .AgentNamespace }} rules: -# leader election needs to operate configmaps +# leader election needs to operate configmaps and leases - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]