From 0dcfd326a76def2e58d9232bcfc6638740125c9a Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Thu, 17 Jul 2025 14:01:10 +0200 Subject: [PATCH 1/3] fix: Add RBAC permission to patch events --- deploy/helm/airflow-operator/templates/roles.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/helm/airflow-operator/templates/roles.yaml b/deploy/helm/airflow-operator/templates/roles.yaml index a4c532c4..4c2246e5 100644 --- a/deploy/helm/airflow-operator/templates/roles.yaml +++ b/deploy/helm/airflow-operator/templates/roles.yaml @@ -180,6 +180,7 @@ rules: - events verbs: - create + - patch {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} - apiGroups: - security.openshift.io From 848c61cb3a2b0e28b84d47a4cd68d5cee8d55238 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Mon, 21 Jul 2025 09:29:56 +0200 Subject: [PATCH 2/3] changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b00af54e..f810ce12 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,6 +38,9 @@ - The default Kubernetes cluster domain name is now fetched from the kubelet API unless explicitly configured. - This requires operators to have the RBAC permission to get nodes/proxy in the apiGroup "". The helm-chart takes care of this. - The CLI argument `--kubernetes-node-name` or env variable `KUBERNETES_NODE_NAME` needs to be set. The helm-chart takes care of this. +- The operator helm-chart now grants RBAC `patch` permissions on `events.k8s.io/events`. + This applies to the operator and the product ClusterRole, in the future we might be able to remove the `events` + permissions for the product entirely ([#660]). ### Fixed @@ -66,6 +69,7 @@ [#649]: https://github.com/stackabletech/airflow-operator/pull/649 [#651]: https://github.com/stackabletech/airflow-operator/pull/651 [#656]: https://github.com/stackabletech/airflow-operator/pull/656 +[#660]: https://github.com/stackabletech/airflow-operator/pull/660 ## [25.3.0] - 2025-03-21 From 8bf5d744b33175212af6ad3de4562c6eb588a491 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Mon, 21 Jul 2025 10:25:15 +0200 Subject: [PATCH 3/3] changelog --- CHANGELOG.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f810ce12..6fa5f2f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,9 +38,8 @@ - The default Kubernetes cluster domain name is now fetched from the kubelet API unless explicitly configured. - This requires operators to have the RBAC permission to get nodes/proxy in the apiGroup "". The helm-chart takes care of this. - The CLI argument `--kubernetes-node-name` or env variable `KUBERNETES_NODE_NAME` needs to be set. The helm-chart takes care of this. -- The operator helm-chart now grants RBAC `patch` permissions on `events.k8s.io/events`. - This applies to the operator and the product ClusterRole, in the future we might be able to remove the `events` - permissions for the product entirely ([#660]). +- The operator helm-chart now grants RBAC `patch` permissions on `events.k8s.io/events`, + so events can be aggregated (e.g. "error happened 10 times over the last 5 minutes") ([#660]). ### Fixed