[release-1.15] Add jobsinks-addressable-resolver cluster role (#8301)

knative-prow-robot · mgencur · web-flow · commit e32831aeead7 · 2024-11-04T13:01:55.000Z
Add jobsinks-addressable-resolver cluster role

This will ensure that alld ServiceAccount that are bound to
"addressable-resolver" ClusterRole can read JobSinks.

Fixes issues like this for SinkBindings:
```
{"level":"error","ts":"2024-11-04T08:06:16.160Z","logger":"eventing-webhook","caller":"sinkbinding/sinkbinding.go:87",
"msg":"Failed to get Addressable from Destination:
%!w(*fmt.wrapError=&amp;{failed to get lister for
sinks.knative.dev/v1alpha1,
Resource=jobsinks: jobsinks.sinks.knative.dev is forbidden:
User \"system:serviceaccount:knative-eventing:eventing-webhook\"
cannot list resource \"jobsinks\" in API group \"sinks.knative.dev\"
```

Co-authored-by: Martin Gencur &lt;mgencur@redhat.com&gt;
diff --git a/config/core/roles/addressable-resolvers-clusterrole.yaml b/config/core/roles/addressable-resolvers-clusterrole.yaml
@@ -144,3 +144,25 @@ rules:
   - get
   - list
   - watch
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: jobsinks-addressable-resolver
+  labels:
+    duck.knative.dev/addressable: "true"
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/name: knative-eventing
+# Do not use this role directly. These rules will be added to the "addressable-resolver" role.
+rules:
+- apiGroups:
+    - sinks.knative.dev
+  resources:
+    - jobsinks
+    - jobsinks/status
+  verbs:
+    - get
+    - list
+    - watch
