feat(Traefik Proxy): update rbac following v3.2 migration guide

traefik · Oct 4, 2024 · cae906e · cae906e
1 parent 7c81ff5
commit cae906e
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 1 deletion.
diff --git a/traefik/templates/rbac/clusterrole.yaml b/traefik/templates/rbac/clusterrole.yaml
@@ -149,8 +149,14 @@ rules:
   - apiGroups:
       - gateway.networking.k8s.io
     resources:
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - backendtlspolicies
+      {{- end }}
       - gatewayclasses
       - gateways
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - grpcroutes
+      {{- end }}
       - httproutes
       - referencegrants
       - tcproutes
@@ -162,8 +168,14 @@ rules:
   - apiGroups:
       - gateway.networking.k8s.io
     resources:
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - backendtlspolicies/status
+      {{- end }}
       - gatewayclasses/status
       - gateways/status
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - grpcroutes/status
+      {{- end }}
       - httproutes/status
       - tcproutes/status
       - tlsroutes/status

diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml
@@ -643,7 +643,7 @@ tests:
   - it: should provide expected role rbac when k8s gw api is enabled >=v3.1.0
     set:
       image:
-        tag: v3.1.0-rc2
+        tag: v3.1.0-rc3
       providers:
         kubernetesGateway:
           enabled: true
@@ -717,6 +717,49 @@ tests:
               - list
               - watch
 
+  - it: should provide expected role rbac when k8s gw api is enabled >=v3.2.0
+    set:
+      image:
+        tag: v3.2.0-rc1
+      providers:
+        kubernetesGateway:
+          enabled: true
+    asserts:
+      - template: rbac/clusterrole.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - gateway.networking.k8s.io
+            resources:
+              - backendtlspolicies/status
+              - gatewayclasses/status
+              - gateways/status
+              - grpcroutes/status
+              - httproutes/status
+              - tcproutes/status
+              - tlsroutes/status
+            verbs:
+              - update
+      - template: rbac/clusterrole.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - gateway.networking.k8s.io
+            resources:
+              - backendtlspolicies
+              - gatewayclasses
+              - gateways
+              - grpcroutes
+              - httproutes
+              - referencegrants
+              - tcproutes
+              - tlsroutes
+            verbs:
+              - get
+              - list
+              - watch
   - it: should contain additional RBACS for hub API gateway
     set:
       image: