Skip to content

Grant /status RBAC for ManagedCluster and PacketCapture#4823

Merged
caseydavenport merged 1 commit into
masterfrom
casey-mc-status-rbac
May 19, 2026
Merged

Grant /status RBAC for ManagedCluster and PacketCapture#4823
caseydavenport merged 1 commit into
masterfrom
casey-mc-status-rbac

Conversation

@caseydavenport
Copy link
Copy Markdown
Member

@caseydavenport caseydavenport commented May 19, 2026

calico-private https://github.com/tigera/calico-private/pull/11977 routes voltron's ManagedCluster status writes and kube-controllers' PacketCapture status writes through the /status subresource. Without matching RBAC, both clients get 403'd and end up in a tight retry loop. Confirmed on the bleeding-edge cluster:

managedclusters.projectcalico.org "<name>" is forbidden:
User "system:serviceaccount:calico-system:calico-manager" cannot
update resource "managedclusters/status" in API group "projectcalico.org"
at the cluster scope

This change:

  • Adds managedclusters/status (update) to the calico-manager update role (both ClusterRole and per-tenant Role variants).
  • Adds packetcaptures/status (update) to the calico-kube-controllers ClusterRole.

The other resources from https://github.com/tigera/calico-private/pull/11961 (GlobalAlert, GlobalReport, AlertException, SecurityEventWebhook) either already have /status grants or have no current UpdateStatus callers, so they're unchanged here.

Test plan

  • Verified live on bleeding-edge mgmt cluster that voltron status writes succeed once the calico-manager role is updated.
  • pkg/render + pkg/render/kubecontrollers unit tests pass (rule-count assertions updated).

@caseydavenport
Grant /status RBAC for ManagedCluster and PacketCapture
39b055c 
calico-private PR #11977 routes voltron's ManagedCluster status writes
and kube-controllers' PacketCapture status writes through the /status
subresource. Without matching RBAC, both clients hit 403 in a tight
retry loop. Add `managedclusters/status` to the calico-manager update
role and `packetcaptures/status` to the calico-kube-controllers cluster
role.
@caseydavenport caseydavenport requested a review from a team as a code owner May 19, 2026 16:55
@marvin-tigera marvin-tigera added this to the v1.43.0 milestone May 19, 2026
@caseydavenport caseydavenport mentioned this pull request May 19, 2026
Merged
2 tasks
@caseydavenport
Copy link
Copy Markdown
Member Author

caseydavenport commented May 19, 2026

Linked PRs for EV-6617 / EV-6621:

@caseydavenport caseydavenport merged commit fbf68c1 into master May 19, 2026
7 of 11 checks passed
@caseydavenport caseydavenport deleted the casey-mc-status-rbac branch May 19, 2026 23:11
@caseydavenport caseydavenport mentioned this pull request May 21, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rene-dekker rene-dekker rene-dekker approved these changes

Assignees

No one assigned

Labels

docs-not-required release-note-not-required

Projects

None yet

Milestone

v1.43.0

Development

Successfully merging this pull request may close these issues.

3 participants

@caseydavenport @rene-dekker @marvin-tigera