bug fix

CentaurusInfra · Sep 18, 2021 · ea9b527 · ea9b527
1 parent 2803a92
commit ea9b527
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/pkg/controller/podSecret/pod-secret-controller.go b/pkg/controller/podSecret/pod-secret-controller.go
@@ -188,6 +188,9 @@ func (nc *PodSecretController) syncPodSecret(refKey string) error {
 		return nil
 	}
 
+	if labels == nil {
+		labels = make(map[string]string)
+	}
 	labels[nodeName] = ""
 	secret.SetLabels(labels)
 	_, err = nc.kubeClient.CoreV1().SecretsWithMultiTenancy(namespace, tenant).Update(secret)

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@@ -414,6 +414,15 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 		},
 	})
 
+	addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "pod-secret-controller"},
+		Rules: []rbacv1.PolicyRule{
+			rbacv1helpers.NewRule("list", "watch", "get").Groups(legacyGroup).Resources("pods").RuleOrDie(),
+			rbacv1helpers.NewRule("list", "watch", "get", "update", "patch").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
+			eventsRule(),
+		},
+	})
+
 	return controllerRoles, controllerRoleBindings
 }