Fix Cilium permissions (#5923)

* added required permissions for querying endpointslice resources

* copy-pasted role permissions from cilium install manifests

* bumped cilium version to v1.7.2

roles/download/defaults/main.yml

@@ -80,7 +80,7 @@ cni_version: "v0.8.5"
 weave_version: 2.5.2
 pod_infra_version: 3.1
 contiv_version: 1.2.1
-cilium_version: "v1.7.1"
+cilium_version: "v1.7.2"
 kube_ovn_version: "v0.6.0"
 kube_router_version: "v0.4.0"
 multus_version: "v3.4.1"

roles/network_plugin/cilium/templates/cilium-cr.yml.j2

@@ -4,13 +4,6 @@ kind: ClusterRole
 metadata:
   name: cilium-operator
 rules:
-- apiGroups:
-  - ""
-  resources:
-  # to get k8s version and status
-  - componentstatuses
-  verbs:
-  - get
 - apiGroups:
   - ""
   resources:
@@ -22,6 +15,14 @@ rules:
   - list
   - watch
   - delete
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -32,6 +33,8 @@ rules:
   # to perform the translation of a CNP that contains `ToGroup` to its endpoints
   - services
   - endpoints
+  # to check apiserver connectivity
+  - namespaces
   verbs:
   - get
   - list
@@ -41,6 +44,8 @@ rules:
   resources:
   - ciliumnetworkpolicies
   - ciliumnetworkpolicies/status
+  - ciliumclusterwidenetworkpolicies
+  - ciliumclusterwidenetworkpolicies/status
   - ciliumendpoints
   - ciliumendpoints/status
   - ciliumnodes
@@ -63,6 +68,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -94,7 +107,6 @@ rules:
 - apiGroups:
   - apiextensions.k8s.io
   resources:
-      - ingresses
   - customresourcedefinitions
   verbs:
   - create