diff --git a/pkg/render/manager.go b/pkg/render/manager.go index ecbf2cae00..47ebd9394c 100644 --- a/pkg/render/manager.go +++ b/pkg/render/manager.go @@ -999,14 +999,23 @@ func managerClusterRole(managedCluster bool, kubernetesProvider operatorv1.Provi { // ui-apis needs broad read access to UISettings and UISettingsGroups to serve // requests on behalf of users. It performs SubjectAccessReviews to enforce - // per-group RBAC before returning results. + // per-group RBAC before returning results. Delete is included because the + // ui-apis DELETE handler issues the call with its own service-account token + // (writes were moved off user impersonation by the cloud security fix). APIGroups: []string{"projectcalico.org"}, Resources: []string{ "uisettings", "uisettingsgroups", "uisettingsgroups/data", }, - Verbs: []string{"get", "list", "watch"}, + Verbs: []string{"get", "list", "watch", "delete"}, + }, + { + // ClusterInformation read: surfaces the management-cluster version in the UI. + // Served by the ui-apis ClusterInformation handler using its own SA token. + APIGroups: []string{"projectcalico.org"}, + Resources: []string{"clusterinformations"}, + Verbs: []string{"get", "list"}, }, { APIGroups: []string{"projectcalico.org"}, @@ -1030,11 +1039,14 @@ func managerClusterRole(managedCluster bool, kubernetesProvider operatorv1.Provi }, Verbs: []string{"list"}, }, - // Allow Enterprise Custom Dashboards to access managed clusters + // Allow Enterprise Custom Dashboards to access managed clusters. Create/delete + // were added when the ui-apis ManagedCluster handler took over CRUD with its + // own SA token (replacing the impersonated /apis/.../managedclusters proxy). + // Update is granted separately via managedClustersUpdateRBAC(). { APIGroups: []string{"projectcalico.org"}, Resources: []string{"managedclusters"}, - Verbs: []string{"get", "list", "watch"}, + Verbs: []string{"get", "list", "watch", "create", "delete"}, }, { APIGroups: []string{"projectcalico.org"}, diff --git a/pkg/render/manager_test.go b/pkg/render/manager_test.go index 92243e464d..64a8da60e7 100644 --- a/pkg/render/manager_test.go +++ b/pkg/render/manager_test.go @@ -354,7 +354,12 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { "uisettingsgroups", "uisettingsgroups/data", }, - Verbs: []string{"get", "list", "watch"}, + Verbs: []string{"get", "list", "watch", "delete"}, + }, + { + APIGroups: []string{"projectcalico.org"}, + Resources: []string{"clusterinformations"}, + Verbs: []string{"get", "list"}, }, { APIGroups: []string{"projectcalico.org"}, @@ -381,7 +386,7 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { { APIGroups: []string{"projectcalico.org"}, Resources: []string{"managedclusters"}, - Verbs: []string{"get", "list", "watch"}, + Verbs: []string{"get", "list", "watch", "create", "delete"}, }, { APIGroups: []string{"projectcalico.org"}, @@ -684,7 +689,12 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { "uisettingsgroups", "uisettingsgroups/data", }, - Verbs: []string{"get", "list", "watch"}, + Verbs: []string{"get", "list", "watch", "delete"}, + }, + { + APIGroups: []string{"projectcalico.org"}, + Resources: []string{"clusterinformations"}, + Verbs: []string{"get", "list"}, }, { APIGroups: []string{"projectcalico.org"}, @@ -711,7 +721,7 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { { APIGroups: []string{"projectcalico.org"}, Resources: []string{"managedclusters"}, - Verbs: []string{"get", "list", "watch"}, + Verbs: []string{"get", "list", "watch", "create", "delete"}, }, { APIGroups: []string{"projectcalico.org"},