feat: Add pods/portforward permissions (#1809)

Signed-off-by: Anatolii Bazko <[email protected]>
eclipse-che · Feb 5, 2024 · 1ae0142 · 1ae0142
1 parent aaa157b
commit 1ae0142
Show file tree

Hide file tree

Showing 8 changed files with 63 additions and 2 deletions.
diff --git a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml
@@ -77,7 +77,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/eclipse-che/che-operator
     support: Eclipse Foundation
-  name: eclipse-che.v7.81.0-832.next
+  name: eclipse-che.v7.82.0-835.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -806,6 +806,14 @@ spec:
                 - get
                 - list
                 - watch
+            - apiGroups:
+                - ""
+              resources:
+                - pods/portforward
+              verbs:
+                - get
+                - list
+                - create
             - apiGroups:
                 - workspace.devfile.io
               resources:
@@ -1240,7 +1248,7 @@ spec:
   minKubeVersion: 1.19.0
   provider:
     name: Eclipse Foundation
-  version: 7.81.0-832.next
+  version: 7.82.0-835.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1

diff --git a/config/rbac/cluster_role.yaml b/config/rbac/cluster_role.yaml
@@ -343,6 +343,14 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - ''
+    resources:
+      - pods/portforward
+    verbs:
+      - get
+      - list
+      - create
   - apiGroups:
       - workspace.devfile.io
     resources:

diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml
@@ -8745,6 +8745,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/portforward
+  verbs:
+  - get
+  - list
+  - create
 - apiGroups:
   - workspace.devfile.io
   resources:

diff --git a/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml b/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml
@@ -343,6 +343,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/portforward
+  verbs:
+  - get
+  - list
+  - create
 - apiGroups:
   - workspace.devfile.io
   resources:

diff --git a/deploy/deployment/openshift/combined.yaml b/deploy/deployment/openshift/combined.yaml
@@ -8745,6 +8745,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/portforward
+  verbs:
+  - get
+  - list
+  - create
 - apiGroups:
   - workspace.devfile.io
   resources:

diff --git a/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml b/deploy/deployment/openshift/objects/che-operator.ClusterRole.yaml
@@ -343,6 +343,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/portforward
+  verbs:
+  - get
+  - list
+  - create
 - apiGroups:
   - workspace.devfile.io
   resources:

diff --git a/helmcharts/next/templates/che-operator.ClusterRole.yaml b/helmcharts/next/templates/che-operator.ClusterRole.yaml
@@ -343,6 +343,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/portforward
+  verbs:
+  - get
+  - list
+  - create
 - apiGroups:
   - workspace.devfile.io
   resources:

diff --git a/pkg/deploy/server/rbac.go b/pkg/deploy/server/rbac.go
@@ -208,6 +208,11 @@ func (s *CheServerReconciler) getUserCommonPolicies() []rbacv1.PolicyRule {
 			Resources: []string{"pods/log"},
 			Verbs:     []string{"get", "list", "watch"},
 		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"pods/portforward"},
+			Verbs:     []string{"get", "list", "create"},
+		},
 		{
 			APIGroups: []string{""},
 			Resources: []string{"secrets"},