openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

fix(rbac): cutover-driver permissions for catalyst.openova.io/environmentpolicies (#1210)

Browse Source 
Caught live on omantel after Fix #19 (#1208) restored /environments/{env}/policy:
  environmentpolicies.catalyst.openova.io is forbidden: User
  "system:serviceaccount:catalyst-system:catalyst-api-cutover-driver"
  cannot list resource environmentpolicies in API group catalyst.openova.io

Slice X (#1147) shipped the policy-mode toggle handler. Slice B5 (#1108)
shipped the EnvironmentPolicy CRD. Neither slice updated the cutover-driver
ClusterRole. Fix #19's handler restoration surfaced the gap end-to-end.

Per feedback_chroot_in_cluster_fallback.md: every new GVR added to
catalyst-api dynamic-client paths MUST get matching ClusterRole rules in
the same PR. Same pattern as PRs #1173/#1179.

Live: applied on omantel via kubectl patch + verified TC-101 PUT
/environments/test-env/policy returns HTTP 200 with full contract body.

Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
e3mrah 2026-05-09 18:20:48 +04:00 committed by GitHub
parent 0de2a8f14e
commit 88c34c24ba
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
products/catalyst/chart/templates/clusterrole-cutover-driver.yaml
View File

@ -287,6 +287,19 @@ rules:
- apiGroups: ["catalyst.openova.io"]
resources: ["blueprints", "environments"]
verbs: ["get", "list", "watch"]
# EnvironmentPolicy CRD — backs slice X (#1147) PUT
# /environments/{env}/policy, restored to working contract by Fix #19
# (#1208) in qa-loop iter-3. Without this rule the handler 503s on
# the apiserver Create/Update with body
# environmentpolicies.catalyst.openova.io is forbidden.
# `create` MUST be split into its own rule WITHOUT resourceNames per
# feedback_rbac_create_no_resourcenames.md.
- apiGroups: ["catalyst.openova.io"]
resources: ["environmentpolicies"]
verbs: ["create"]
- apiGroups: ["catalyst.openova.io"]
resources: ["environmentpolicies"]
verbs: ["get", "list", "watch", "update", "patch", "delete"]
# Organization CRD — top-level tenancy resource surfaced on the
# /organizations page.
- apiGroups: ["orgs.openova.io"]