From 7d915e60cd2f2c93a12bcafe3ed3f5ec4a8d373d Mon Sep 17 00:00:00 2001
From: Ole Markus With <o.with@sportradar.com>
Date: Tue, 2 Mar 2021 07:47:59 +0100
Subject: [PATCH] Add explicit RBAC permissions for finalizers subresources

---
 upup/models/bindata.go                        | 19 +++++++++++++++++++
 .../k8s-1.12-v1.8.yaml.template               | 19 +++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/upup/models/bindata.go b/upup/models/bindata.go
index 0e029bfb7e2e3..7e2b77c18915e 100644
--- a/upup/models/bindata.go
+++ b/upup/models/bindata.go
@@ -31234,6 +31234,16 @@ rules:
   - ""
   resources:
   - pods
+  - pods/finalizers
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
   - nodes
   verbs:
   - get
@@ -31270,12 +31280,16 @@ rules:
   - cilium.io
   resources:
   - ciliumnetworkpolicies
+  - ciliumnetworkpolicies/finalizers
   - ciliumnetworkpolicies/status
   - ciliumclusterwidenetworkpolicies
+  - ciliumclusterwidenetworkpolicies/finalizers
   - ciliumclusterwidenetworkpolicies/status
   - ciliumendpoints
+  - ciliumendpoints/finalizers
   - ciliumendpoints/status
   - ciliumnodes
+  - ciliumnodes/finalizers
   - ciliumnodes/status
   - ciliumidentities
   verbs:
@@ -31327,14 +31341,19 @@ rules:
   - cilium.io
   resources:
   - ciliumnetworkpolicies
+  - ciliumnetworkpolicies/finalizers
   - ciliumnetworkpolicies/status
   - ciliumclusterwidenetworkpolicies
+  - ciliumclusterwidenetworkpolicies/finalizers
   - ciliumclusterwidenetworkpolicies/status
   - ciliumendpoints
+  - ciliumendpoints/finalizers
   - ciliumendpoints/status
   - ciliumnodes
+  - ciliumnodes/finalizers
   - ciliumnodes/status
   - ciliumidentities
+  - ciliumidentities/finalizers
   - ciliumidentities/status
   verbs:
   - '*'
diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template
index 24276fb4927d1..0ebee55652c74 100644
--- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template
+++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.8.yaml.template
@@ -237,6 +237,16 @@ rules:
   - ""
   resources:
   - pods
+  - pods/finalizers
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
   - nodes
   verbs:
   - get
@@ -273,12 +283,16 @@ rules:
   - cilium.io
   resources:
   - ciliumnetworkpolicies
+  - ciliumnetworkpolicies/finalizers
   - ciliumnetworkpolicies/status
   - ciliumclusterwidenetworkpolicies
+  - ciliumclusterwidenetworkpolicies/finalizers
   - ciliumclusterwidenetworkpolicies/status
   - ciliumendpoints
+  - ciliumendpoints/finalizers
   - ciliumendpoints/status
   - ciliumnodes
+  - ciliumnodes/finalizers
   - ciliumnodes/status
   - ciliumidentities
   verbs:
@@ -330,14 +344,19 @@ rules:
   - cilium.io
   resources:
   - ciliumnetworkpolicies
+  - ciliumnetworkpolicies/finalizers
   - ciliumnetworkpolicies/status
   - ciliumclusterwidenetworkpolicies
+  - ciliumclusterwidenetworkpolicies/finalizers
   - ciliumclusterwidenetworkpolicies/status
   - ciliumendpoints
+  - ciliumendpoints/finalizers
   - ciliumendpoints/status
   - ciliumnodes
+  - ciliumnodes/finalizers
   - ciliumnodes/status
   - ciliumidentities
+  - ciliumidentities/finalizers
   - ciliumidentities/status
   verbs:
   - '*'