From 476163d451e31bd9c260cf4355ec3663da2d18e4 Mon Sep 17 00:00:00 2001 From: Timo Adler Date: Thu, 5 Mar 2026 19:23:55 +0100 Subject: [PATCH 1/2] Move leases RBAC to metadata-reader role --- .../chart/reloader/templates/clusterrole.yaml | 10 ---------- .../kubernetes/chart/reloader/templates/role.yaml | 12 +++++++++++- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/deployments/kubernetes/chart/reloader/templates/clusterrole.yaml b/deployments/kubernetes/chart/reloader/templates/clusterrole.yaml index bd14dfeb7..495f3d88d 100644 --- a/deployments/kubernetes/chart/reloader/templates/clusterrole.yaml +++ b/deployments/kubernetes/chart/reloader/templates/clusterrole.yaml @@ -96,16 +96,6 @@ rules: - list - get {{- end}} -{{- if .Values.reloader.enableHA }} - - apiGroups: - - "coordination.k8s.io" - resources: - - leases - verbs: - - create - - get - - update -{{- end}} {{- if .Values.reloader.enableCSIIntegration }} - apiGroups: - "secrets-store.csi.x-k8s.io" diff --git a/deployments/kubernetes/chart/reloader/templates/role.yaml b/deployments/kubernetes/chart/reloader/templates/role.yaml index 7355d873b..41f46a12d 100644 --- a/deployments/kubernetes/chart/reloader/templates/role.yaml +++ b/deployments/kubernetes/chart/reloader/templates/role.yaml @@ -142,4 +142,14 @@ rules: - watch - create - update -{{- end }} \ No newline at end of file +{{- if .Values.reloader.enableHA }} + - apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - create + - get + - update +{{- end}} +{{- end }} From e375104c8bf8a730f5073b26f72b875f09051c5c Mon Sep 17 00:00:00 2001 From: Timo Adler Date: Fri, 22 May 2026 21:04:22 +0200 Subject: [PATCH 2/2] split create and get/update Limited due to https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources --- deployments/kubernetes/chart/reloader/templates/role.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/deployments/kubernetes/chart/reloader/templates/role.yaml b/deployments/kubernetes/chart/reloader/templates/role.yaml index 41f46a12d..bd2eb43e1 100644 --- a/deployments/kubernetes/chart/reloader/templates/role.yaml +++ b/deployments/kubernetes/chart/reloader/templates/role.yaml @@ -149,6 +149,13 @@ rules: - leases verbs: - create + - apiGroups: + - "coordination.k8s.io" + resourceNames: + - stakater-reloader-lock + resources: + - leases + verbs: - get - update {{- end}}