helm/cdi-device-injector: allow watching namespaces.

Namespace have cluster scope, so the plugin needs cluster role RBAC authorization to watch namespaces. I don't know if it is possible to further limit watching namespaces to a particular name(space). Now any namespace known by name can be watched by the plugin. Signed-off-by: Krisztian Litkey <[email protected]>
klihub · Jul 18, 2024 · 3bd9e01 · 3bd9e01
1 parent 118c0ab
commit 3bd9e01
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 30 deletions.
diff --git a/deployment/helm/cdi-device-injector/templates/clusterrole.yaml b/deployment/helm/cdi-device-injector/templates/clusterrole.yaml
@@ -5,3 +5,10 @@ metadata:
   labels:
     {{- include "nri-plugin.labels" . | nindent 4 }}
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - watch
diff --git a/deployment/helm/cdi-device-injector/templates/role.yaml b/deployment/helm/cdi-device-injector/templates/role.yaml
diff --git a/deployment/helm/cdi-device-injector/templates/rolebindings.yaml b/deployment/helm/cdi-device-injector/templates/rolebindings.yaml