Added missing permissions for operator. (#6683)

Related commit: https://github.com/cilium/cilium/commit/976337b750ac8110b128fa25105e2fcc91ccd223

Added missing permissions for operator. (#6683)
9ce34be2 · Sebastian · GitHub · 79226d08 · 9ce34be2
Unverified Commit 9ce34be2 authored 4 years ago by Sebastian Committed by GitHub 4 years ago
--- a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
@@ -69,6 +69,25 @@ rules:
  - get
  - list
  - watch
+{% if cilium_version | regex_replace('v') is version('1.8', '>=') %}
+  # For cilium-operator running in HA mode.
+  #
+  # Cilium operator running in HA mode requires the use of ResourceLock for Leader Election
+  # between mulitple running instances.
+  # The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less
+  # common and fewer objects in the cluster watch "all Leases".
+  # The support for leases was introduced in coordination.k8s.io/v1 during Kubernetes 1.14 release.
+  # In Cilium we currently don't support HA mode for K8s version < 1.14. This condition make sure
+  # that we only authorize access to leases resources in supported K8s versions.
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+{% endif %}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole