From 9ce34be2177277690c0fa838958dba3b9f0e6475 Mon Sep 17 00:00:00 2001
From: Sebastian <sebastian@azmi.pl>
Date: Fri, 18 Sep 2020 11:12:45 +0200
Subject: [PATCH] Added missing permissions for operator. (#6683)

Related commit: https://github.com/cilium/cilium/commit/976337b750ac8110b128fa25105e2fcc91ccd223
---
 .../cilium/templates/cilium-cr.yml.j2         | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
index 1fbf26235..8220d99f8 100644
--- a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
@@ -69,6 +69,25 @@ rules:
   - get
   - list
   - watch
+{% if cilium_version | regex_replace('v') is version('1.8', '>=') %}
+  # For cilium-operator running in HA mode.
+  #
+  # Cilium operator running in HA mode requires the use of ResourceLock for Leader Election
+  # between mulitple running instances.
+  # The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less
+  # common and fewer objects in the cluster watch "all Leases".
+  # The support for leases was introduced in coordination.k8s.io/v1 during Kubernetes 1.14 release.
+  # In Cilium we currently don't support HA mode for K8s version < 1.14. This condition make sure
+  # that we only authorize access to leases resources in supported K8s versions.
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+{% endif %}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
-- 
GitLab