From 47fe3e5de32520b740272572b8f33342360b8e74 Mon Sep 17 00:00:00 2001 From: Alex Jean-Baptiste Jr Date: Mon, 23 Sep 2024 17:40:00 -0400 Subject: [PATCH 1/4] Modified exector role for necessary cluster permissions --- .../k8s/templates/executor.Role.yaml | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml b/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml index c326092c..9da283c5 100644 --- a/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml +++ b/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml @@ -2,34 +2,22 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: sg-executor-role + name: executor labels: - category: rbac deploy: sourcegraph - sourcegraph-resource-requires: cluster-admin app.kubernetes.io/component: executor rules: - - apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - apiGroups: - "" resources: - pods - pods/log + - secrets + - persistentvolumeclaims verbs: - get - list - watch - - apiGroups: - - "" - resources: - - secrets - verbs: - create - delete {{- end }} From d5e8f1ed5354f054977ba0911293cb42c83c079d Mon Sep 17 00:00:00 2001 From: Alex Jean-Baptiste Jr Date: Mon, 23 Sep 2024 17:51:16 -0400 Subject: [PATCH 2/4] Modifcation to keep previous metadata and naming --- charts/sourcegraph-executor/k8s/templates/executor.Role.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml b/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml index 9da283c5..d899be32 100644 --- a/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml +++ b/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml @@ -2,9 +2,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: executor + name: sg-executor-role labels: + category: rbac deploy: sourcegraph + sourcegraph-resource-requires: cluster-admin app.kubernetes.io/component: executor rules: - apiGroups: From 12a2d671d7416cb24eed9082b5fb77d0250b8474 Mon Sep 17 00:00:00 2001 From: Enrique Gonzalez Date: Thu, 10 Jul 2025 09:08:12 -0600 Subject: [PATCH 3/4] fix: restore missing batch/jobs permissions and add PVC permissions to executor role - Re-add batch/jobs create/delete permissions that were accidentally removed - Add persistentvolumeclaims create/delete permissions for job workspaces - Right-size pod permissions to get/list/watch only - Fixes customer-reported "cannot create resource persistentvolumeclaims" errors - Resolves batch changes functionality breaking due to missing permissions --- .../k8s/templates/executor.Role.yaml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml b/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml index d899be32..f2ae270e 100644 --- a/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml +++ b/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml @@ -9,17 +9,29 @@ metadata: sourcegraph-resource-requires: cluster-admin app.kubernetes.io/component: executor rules: + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete - apiGroups: - "" resources: - pods - pods/log - - secrets - - persistentvolumeclaims verbs: - get - list - watch + - apiGroups: + - "" + resources: + - secrets + - persistentvolumeclaims + verbs: + - get - create - delete {{- end }} From 8bef556934a43ba3cbc9364621b241a847f4217f Mon Sep 17 00:00:00 2001 From: Enrique Gonzalez Date: Thu, 10 Jul 2025 09:25:22 -0600 Subject: [PATCH 4/4] add list verb as well --- charts/sourcegraph-executor/k8s/templates/executor.Role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml b/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml index f2ae270e..7a3d1ef4 100644 --- a/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml +++ b/charts/sourcegraph-executor/k8s/templates/executor.Role.yaml @@ -32,6 +32,7 @@ rules: - persistentvolumeclaims verbs: - get + - list - create - delete {{- end }}