From 649e8c8776da472a2cfb059b562b17974008ef98 Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Fri, 22 May 2026 15:53:39 -0700 Subject: [PATCH] RBAC: add update verbs for /status subresources Several SAs need to write to /status subresources but the ClusterRoles only grant access to the parent resource: - calico-apiserver SA: add globalalerts/status, packetcaptures/status, securityeventwebhooks/status (backing-storage rule) - calico-node SA (enterprise): add packetcaptures/status alongside the existing packetcaptures update verb - intrusion-detection-controller SA: add securityeventwebhooks/status for the webhooks-processor controller Surfaces on real-cluster e2e (gcp-kubeadm) as repeated 403s in intrusion-detection-controller and felix capture status writer. --- pkg/render/apiserver.go | 3 +++ pkg/render/intrusion_detection.go | 2 +- pkg/render/intrusion_detection_test.go | 2 +- pkg/render/node.go | 1 + 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go index ac685a91a6..44ac64798f 100644 --- a/pkg/render/apiserver.go +++ b/pkg/render/apiserver.go @@ -1441,6 +1441,7 @@ func (c *apiServerComponent) tigeraAPIServerClusterRole() *rbacv1.ClusterRole { "egressgatewaypolicies", "externalnetworks", "globalalerts", + "globalalerts/status", "globalalerttemplates", "globalreports", "globalreporttypes", @@ -1451,10 +1452,12 @@ func (c *apiServerComponent) tigeraAPIServerClusterRole() *rbacv1.ClusterRole { "managedclusters/status", "networks", "packetcaptures", + "packetcaptures/status", "policyrecommendationscopes", "policyrecommendationscopes/status", "remoteclusterconfigurations", "securityeventwebhooks", + "securityeventwebhooks/status", "uisettings", "uisettingsgroups", }, diff --git a/pkg/render/intrusion_detection.go b/pkg/render/intrusion_detection.go index da2aa28530..f0aedbad0a 100644 --- a/pkg/render/intrusion_detection.go +++ b/pkg/render/intrusion_detection.go @@ -342,7 +342,7 @@ func (c *intrusionDetectionComponent) intrusionDetectionClusterRole() *rbacv1.Cl }, { APIGroups: []string{"projectcalico.org", "crd.projectcalico.org"}, - Resources: []string{"securityeventwebhooks"}, + Resources: []string{"securityeventwebhooks", "securityeventwebhooks/status"}, Verbs: []string{"get", "list", "watch", "update"}, }, { diff --git a/pkg/render/intrusion_detection_test.go b/pkg/render/intrusion_detection_test.go index b6bad160fa..8b1084b928 100644 --- a/pkg/render/intrusion_detection_test.go +++ b/pkg/render/intrusion_detection_test.go @@ -212,7 +212,7 @@ var _ = Describe("Intrusion Detection rendering tests", func() { }, rbacv1.PolicyRule{ APIGroups: []string{"projectcalico.org", "crd.projectcalico.org"}, - Resources: []string{"securityeventwebhooks"}, + Resources: []string{"securityeventwebhooks", "securityeventwebhooks/status"}, Verbs: []string{"get", "list", "watch", "update"}, }, rbacv1.PolicyRule{ diff --git a/pkg/render/node.go b/pkg/render/node.go index c72fe93c79..638c95b351 100644 --- a/pkg/render/node.go +++ b/pkg/render/node.go @@ -581,6 +581,7 @@ func (c *nodeComponent) nodeRole() *rbacv1.ClusterRole { APIGroups: []string{"projectcalico.org", "crd.projectcalico.org"}, Resources: []string{ "packetcaptures", + "packetcaptures/status", }, Verbs: []string{"update"}, },