controller: fix permissions for pvcs (#891)

davidwding · web-flow · commit f98c5f36e9be · 2022-04-28T14:35:13.000-04:00
Previously, resizing PVCs was broken due to missing permissions. This
patch adds in those missing permissions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## Fixed
 
 * Grant operator deletecollection permissions to fix fullcluster restart flow
+* Grant operator list and update permissions on pvcs to fix pvc resize flow
 
 # [v2.6.0](https://github.com/cockroachdb/cockroach-operator/compare/v2.5.3...v2.6.0)
 
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -143,6 +143,13 @@ rules:
   verbs:
   - get
   - list
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - list
+  - update
 - apiGroups:
   - ""
   resources:
diff --git a/install/operator.yaml b/install/operator.yaml
@@ -156,6 +156,13 @@ rules:
   verbs:
   - get
   - list
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - list
+  - update
 - apiGroups:
   - ""
   resources:
diff --git a/pkg/controller/cluster_controller.go b/pkg/controller/cluster_controller.go
@@ -67,6 +67,7 @@ type ClusterReconciler struct {
 // +kubebuilder:rbac:groups=core,resources=pods/exec,verbs=create
 // +kubebuilder:rbac:groups=core,resources=pods/log,verbs=get
 // +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list
+// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=list;update
 // +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=get;list;create;watch
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;list;create;watch
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;create;watch
