From e4f65892122a83e45820cbaecbd71d8fdd952b32 Mon Sep 17 00:00:00 2001 From: Joel Gotsch Date: Sun, 13 Apr 2025 22:27:23 +0200 Subject: [PATCH 1/3] add endpoints resource to postgres-operator ClusterRole --- .../operator-service-account-rbac-openshift.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/manifests/operator-service-account-rbac-openshift.yaml b/manifests/operator-service-account-rbac-openshift.yaml index e716e82b7..e966e0abd 100644 --- a/manifests/operator-service-account-rbac-openshift.yaml +++ b/manifests/operator-service-account-rbac-openshift.yaml @@ -59,6 +59,20 @@ rules: - get - patch - update +# to create endpoints to services +- apiGroups: + - "" + resources: + - endpoints + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch # to read configuration and manage ConfigMaps used by Patroni - apiGroups: - "" From bf313b1549cc405e3cc3348a4cc71b31d6716e14 Mon Sep 17 00:00:00 2001 From: Joel Gotsch Date: Sun, 13 Apr 2025 23:07:07 +0200 Subject: [PATCH 2/3] add endpoints resources to postgres-pod --- .../operator-service-account-rbac-openshift.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/manifests/operator-service-account-rbac-openshift.yaml b/manifests/operator-service-account-rbac-openshift.yaml index e966e0abd..4c77e5025 100644 --- a/manifests/operator-service-account-rbac-openshift.yaml +++ b/manifests/operator-service-account-rbac-openshift.yaml @@ -256,6 +256,19 @@ kind: ClusterRole metadata: name: postgres-pod rules: +# to create endpoints to services +- apiGroups: + - "" + resources: + - endpoints + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update # Patroni needs to watch and manage config maps - apiGroups: - "" From e2bfe87ac0c53a2b715fdbc288ca0c8d5c2e03a5 Mon Sep 17 00:00:00 2001 From: Joel Gotsch Date: Tue, 15 Apr 2025 20:16:02 +0200 Subject: [PATCH 3/3] add events and leases resources to postgres-pod role --- ...erator-service-account-rbac-openshift.yaml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/manifests/operator-service-account-rbac-openshift.yaml b/manifests/operator-service-account-rbac-openshift.yaml index 4c77e5025..3a99ddcdd 100644 --- a/manifests/operator-service-account-rbac-openshift.yaml +++ b/manifests/operator-service-account-rbac-openshift.yaml @@ -269,6 +269,27 @@ rules: - list - patch - update +- apiGroups: [""] + resources: + - events # Patroni may log to events + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: ["coordination.k8s.io"] + resources: + - leases # Only if Patroni tries to use K8s Leases + verbs: + - create + - get + - list + - update + - delete + - watch + - patch # Patroni needs to watch and manage config maps - apiGroups: - "" @@ -301,6 +322,15 @@ rules: - services verbs: - create + # to check nodes for node readiness label +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch # to grant privilege to run privileged pods (not needed by default) #- apiGroups: # - extensions