From 83cf9ced701c8ef8ba08130721730e58ca5b4ddd Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Thu, 17 Jul 2025 14:18:22 +0200 Subject: [PATCH 1/4] fix: Add RBAC permission to patch events --- deploy/helm/opa-operator/templates/roles.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/helm/opa-operator/templates/roles.yaml b/deploy/helm/opa-operator/templates/roles.yaml index 60b05c9d..0a80a260 100644 --- a/deploy/helm/opa-operator/templates/roles.yaml +++ b/deploy/helm/opa-operator/templates/roles.yaml @@ -82,7 +82,6 @@ rules: - events.k8s.io resources: - events - - patch verbs: - create - patch @@ -132,6 +131,7 @@ rules: - events.k8s.io resources: - events + - patch verbs: - create {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} From 80d32f5461fafdf8b8589e66890e7f90c29023c0 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Fri, 18 Jul 2025 14:25:20 +0200 Subject: [PATCH 2/4] Update deploy/helm/opa-operator/templates/roles.yaml --- deploy/helm/opa-operator/templates/roles.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/helm/opa-operator/templates/roles.yaml b/deploy/helm/opa-operator/templates/roles.yaml index 0a80a260..926560c6 100644 --- a/deploy/helm/opa-operator/templates/roles.yaml +++ b/deploy/helm/opa-operator/templates/roles.yaml @@ -134,6 +134,7 @@ rules: - patch verbs: - create + - patch {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} - apiGroups: - security.openshift.io From fbb5108e035a077aec7b392cb435d90242bdf989 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Fri, 18 Jul 2025 14:27:32 +0200 Subject: [PATCH 3/4] Fix --- deploy/helm/opa-operator/templates/roles.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/helm/opa-operator/templates/roles.yaml b/deploy/helm/opa-operator/templates/roles.yaml index 926560c6..59f97ab5 100644 --- a/deploy/helm/opa-operator/templates/roles.yaml +++ b/deploy/helm/opa-operator/templates/roles.yaml @@ -131,7 +131,6 @@ rules: - events.k8s.io resources: - events - - patch verbs: - create - patch From 34d3897a6cde10771691dd1312fb0b0832e863e0 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Mon, 21 Jul 2025 10:43:33 +0200 Subject: [PATCH 4/4] changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b0c0b86..7cdf15fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -47,6 +47,8 @@ All notable changes to this project will be documented in this file. - The default Kubernetes cluster domain name is now fetched from the kubelet API unless explicitly configured. - This requires operators to have the RBAC permission to get nodes/proxy in the apiGroup "". The helm-chart takes care of this. - The CLI argument `--kubernetes-node-name` or env variable `KUBERNETES_NODE_NAME` needs to be set. The helm-chart takes care of this. +- The operator helm-chart now grants RBAC `patch` permissions on `events.k8s.io/events`, + so events can be aggregated (e.g. "error happened 10 times over the last 5 minutes") ([#745]). ### Fixed @@ -74,6 +76,7 @@ All notable changes to this project will be documented in this file. [#737]: https://github.com/stackabletech/opa-operator/pull/737 [#743]: https://github.com/stackabletech/opa-operator/pull/743 [#744]: https://github.com/stackabletech/opa-operator/pull/744 +[#745]: https://github.com/stackabletech/opa-operator/pull/745 ## [25.3.0] - 2025-03-21