diff --git a/pkg/render/node.go b/pkg/render/node.go index 1cd34717d2..8038d6f59e 100644 --- a/pkg/render/node.go +++ b/pkg/render/node.go @@ -62,6 +62,7 @@ const ( CalicoNodeMetricsService = "calico-node-metrics" NodePrometheusTLSServerSecret = "calico-node-prometheus-server-tls" CalicoNodeObjectName = "calico-node" + CalicoCNIPluginObjectName = "calico-cni-plugin" ) var ( @@ -182,6 +183,9 @@ func (c *nodeComponent) Objects() ([]client.Object, []client.Object) { c.nodeServiceAccount(), c.nodeRole(), c.nodeRoleBinding(), + c.cniPluginServiceAccount(), + c.cniPluginRole(), + c.cniPluginRoleBinding(), } // These are objects to keep even when we're terminating @@ -254,6 +258,23 @@ func (c *nodeComponent) nodeServiceAccount() *corev1.ServiceAccount { } } +// cniPluginServiceAccount creates the Calico CNI plugin's service account. +func (c *nodeComponent) cniPluginServiceAccount() *corev1.ServiceAccount { + finalizer := []string{} + if !c.cfg.Terminating { + finalizer = []string{NodeFinalizer} + } + + return &corev1.ServiceAccount{ + TypeMeta: metav1.TypeMeta{Kind: "ServiceAccount", APIVersion: "v1"}, + ObjectMeta: metav1.ObjectMeta{ + Name: CalicoCNIPluginObjectName, + Namespace: common.CalicoNamespace, + Finalizers: finalizer, + }, + } +} + // nodeRoleBinding creates a clusterrolebinding giving the node service account the required permissions to operate. func (c *nodeComponent) nodeRoleBinding() *rbacv1.ClusterRoleBinding { finalizer := []string{} @@ -286,6 +307,34 @@ func (c *nodeComponent) nodeRoleBinding() *rbacv1.ClusterRoleBinding { return crb } +// cniPluginRoleBinding creates a rolebinding giving the Calico CNI plugin service account the required permissions to operate. +func (c *nodeComponent) cniPluginRoleBinding() *rbacv1.ClusterRoleBinding { + finalizer := []string{} + if !c.cfg.Terminating { + finalizer = []string{NodeFinalizer} + } + crb := &rbacv1.ClusterRoleBinding{ + TypeMeta: metav1.TypeMeta{Kind: "ClusterRoleBinding", APIVersion: "rbac.authorization.k8s.io/v1"}, + ObjectMeta: metav1.ObjectMeta{ + Name: CalicoCNIPluginObjectName, + Finalizers: finalizer, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "ClusterRole", + Name: CalicoCNIPluginObjectName, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: CalicoCNIPluginObjectName, + Namespace: common.CalicoNamespace, + }, + }, + } + return crb +} + // nodeRole creates the clusterrole containing policy rules that allow the node daemonset to operate normally. func (c *nodeComponent) nodeRole() *rbacv1.ClusterRole { finalizer := []string{} @@ -347,7 +396,7 @@ func (c *nodeComponent) nodeRole() *rbacv1.ClusterRole { // Used for creating service account tokens to be used by the CNI plugin. APIGroups: []string{""}, Resources: []string{"serviceaccounts/token"}, - ResourceNames: []string{"calico-node"}, + ResourceNames: []string{"calico-cni-plugin"}, Verbs: []string{"create"}, }, { @@ -360,6 +409,7 @@ func (c *nodeComponent) nodeRole() *rbacv1.ClusterRole { // For monitoring Calico-specific configuration. APIGroups: []string{"crd.projectcalico.org"}, Resources: []string{ + "bgpfilters", "bgpconfigurations", "bgppeers", "blockaffinities", @@ -437,13 +487,6 @@ func (c *nodeComponent) nodeRole() *rbacv1.ClusterRole { Resources: []string{"blockaffinities"}, Verbs: []string{"watch"}, }, - { - // Allows Calico to use the K8s TokenRequest API to create the tokens used by the CNI plugin. - APIGroups: []string{""}, - Resources: []string{"serviceaccounts/token"}, - ResourceNames: []string{"calico-node"}, - Verbs: []string{"create"}, - }, }, } if c.cfg.Installation.Variant == operatorv1.TigeraSecureEnterprise { @@ -493,6 +536,53 @@ func (c *nodeComponent) nodeRole() *rbacv1.ClusterRole { return role } +// cniPluginRole creates the role containing policy rules that allow the Calico CNI plugin to operate normally. +func (c *nodeComponent) cniPluginRole() *rbacv1.ClusterRole { + finalizer := []string{} + if !c.cfg.Terminating { + finalizer = []string{NodeFinalizer} + } + role := &rbacv1.ClusterRole{ + TypeMeta: metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"}, + ObjectMeta: metav1.ObjectMeta{ + Name: CalicoCNIPluginObjectName, + Finalizers: finalizer, + }, + + Rules: []rbacv1.PolicyRule{ + { + // The CNI plugin needs to get pods, nodes, namespaces. + APIGroups: []string{""}, + Resources: []string{"pods", "nodes", "namespaces"}, + Verbs: []string{"get"}, + }, + { + // Calico patches the allocated IP onto the pod. + APIGroups: []string{""}, + Resources: []string{"pods/status"}, + Verbs: []string{"patch"}, + }, + { + // Most IPAM resources need full CRUD permissions so we can allocate and + // release IP addresses for pods. + APIGroups: []string{"crd.projectcalico.org"}, + Resources: []string{ + "blockaffinities", + "ipamblocks", + "ipamhandles", + "ipamconfigs", + "clusterinformations", + "ippools", + "ipreservations", + }, + Verbs: []string{"get", "list", "create", "update", "delete"}, + }, + }, + } + + return role +} + func (c *nodeComponent) createCalicoPluginConfig() map[string]interface{} { // Determine MTU to use for veth interfaces. // Zero means to use auto-detection. diff --git a/pkg/render/node_test.go b/pkg/render/node_test.go index 7384e9b770..9f9d1e4f92 100644 --- a/pkg/render/node_test.go +++ b/pkg/render/node_test.go @@ -76,7 +76,7 @@ var _ = Describe("Node rendering tests", func() { var typhaNodeTLS *render.TyphaNodeTLS var k8sServiceEp k8sapi.ServiceEndpoint one := intstr.FromInt(1) - defaultNumExpectedResources := 6 + defaultNumExpectedResources := 9 const defaultClusterDomain = "svc.cluster.local" var defaultMode int32 = 420 var cfg render.NodeConfiguration @@ -166,6 +166,9 @@ var _ = Describe("Node rendering tests", func() { {name: "calico-node", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-cni-plugin", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "cni-config", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ConfigMap"}, {name: common.NodeDaemonSetName, ns: "", group: "policy", version: "v1beta1", kind: "PodSecurityPolicy"}, {name: common.NodeDaemonSetName, ns: common.CalicoNamespace, group: "apps", version: "v1", kind: "DaemonSet"}, @@ -424,6 +427,9 @@ var _ = Describe("Node rendering tests", func() { {name: "calico-node", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-cni-plugin", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "cni-config", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ConfigMap"}, {name: common.NodeDaemonSetName, ns: "", group: "policy", version: "v1beta1", kind: "PodSecurityPolicy"}, {name: common.NodeDaemonSetName, ns: common.CalicoNamespace, group: "apps", version: "v1", kind: "DaemonSet"}, @@ -747,6 +753,9 @@ var _ = Describe("Node rendering tests", func() { {name: "calico-node", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-cni-plugin", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "calico-node-metrics", ns: "calico-system", group: "", version: "v1", kind: "Service"}, {name: "cni-config", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ConfigMap"}, {name: common.NodeDaemonSetName, ns: "", group: "policy", version: "v1beta1", kind: "PodSecurityPolicy"}, @@ -835,6 +844,9 @@ var _ = Describe("Node rendering tests", func() { {name: "calico-node", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-cni-plugin", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "cni-config", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ConfigMap"}, {name: common.NodeDaemonSetName, ns: "", group: "policy", version: "v1beta1", kind: "PodSecurityPolicy"}, {name: common.NodeDaemonSetName, ns: common.CalicoNamespace, group: "apps", version: "v1", kind: "DaemonSet"}, @@ -981,6 +993,9 @@ var _ = Describe("Node rendering tests", func() { {name: "calico-node", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-cni-plugin", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "cni-config", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ConfigMap"}, {name: common.NodeDaemonSetName, ns: "", group: "policy", version: "v1beta1", kind: "PodSecurityPolicy"}, {name: common.NodeDaemonSetName, ns: common.CalicoNamespace, group: "apps", version: "v1", kind: "DaemonSet"}, @@ -1391,6 +1406,9 @@ var _ = Describe("Node rendering tests", func() { {name: "calico-node", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-cni-plugin", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "cni-config", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ConfigMap"}, {name: common.NodeDaemonSetName, ns: "", group: "policy", version: "v1beta1", kind: "PodSecurityPolicy"}, {name: common.NodeDaemonSetName, ns: common.CalicoNamespace, group: "apps", version: "v1", kind: "DaemonSet"}, @@ -1740,6 +1758,9 @@ var _ = Describe("Node rendering tests", func() { {name: "calico-node", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-cni-plugin", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "cni-config", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ConfigMap"}, {name: common.NodeDaemonSetName, ns: "", group: "policy", version: "v1beta1", kind: "PodSecurityPolicy"}, {name: common.NodeDaemonSetName, ns: common.CalicoNamespace, group: "apps", version: "v1", kind: "DaemonSet"}, @@ -1852,6 +1873,9 @@ var _ = Describe("Node rendering tests", func() { {name: "calico-node", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-cni-plugin", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "calico-node-metrics", ns: "calico-system", group: "", version: "v1", kind: "Service"}, {name: "cni-config", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ConfigMap"}, {name: common.NodeDaemonSetName, ns: "", group: "policy", version: "v1beta1", kind: "PodSecurityPolicy"}, @@ -1948,6 +1972,9 @@ var _ = Describe("Node rendering tests", func() { {name: "calico-node", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-cni-plugin", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "calico-node-metrics", ns: "calico-system", group: "", version: "v1", kind: "Service"}, {name: "cni-config", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ConfigMap"}, {name: common.NodeDaemonSetName, ns: "", group: "policy", version: "v1beta1", kind: "PodSecurityPolicy"}, @@ -2044,6 +2071,9 @@ var _ = Describe("Node rendering tests", func() { {name: "calico-node", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-cni-plugin", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "cni-config", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ConfigMap"}, {name: render.BirdTemplatesConfigMapName, ns: common.CalicoNamespace, group: "", version: "v1", kind: "ConfigMap"}, {name: common.NodeDaemonSetName, ns: "", group: "policy", version: "v1beta1", kind: "PodSecurityPolicy"}, @@ -2538,6 +2568,9 @@ var _ = Describe("Node rendering tests", func() { {name: "calico-node", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-cni-plugin", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "cni-config", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ConfigMap"}, {name: common.NodeDaemonSetName, ns: "", group: "policy", version: "v1beta1", kind: "PodSecurityPolicy"}, {name: common.NodeDaemonSetName, ns: common.CalicoNamespace, group: "apps", version: "v1", kind: "DaemonSet"}, @@ -2993,6 +3026,9 @@ var _ = Describe("Node rendering tests", func() { {name: "calico-node", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-cni-plugin", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "cni-config", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ConfigMap"}, {name: common.NodeDaemonSetName, ns: "", group: "policy", version: "v1beta1", kind: "PodSecurityPolicy"}, {name: common.NodeDaemonSetName, ns: common.CalicoNamespace, group: "apps", version: "v1", kind: "DaemonSet"}, @@ -3245,6 +3281,9 @@ var _ = Describe("Node rendering tests", func() { {name: "calico-node", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, {name: "calico-node", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, + {name: "calico-cni-plugin", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ServiceAccount"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, + {name: "calico-cni-plugin", ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRoleBinding"}, {name: "cni-config", ns: common.CalicoNamespace, group: "", version: "v1", kind: "ConfigMap"}, {name: common.NodeDaemonSetName, ns: "", group: "policy", version: "v1beta1", kind: "PodSecurityPolicy"}, {name: common.NodeDaemonSetName, ns: common.CalicoNamespace, group: "apps", version: "v1", kind: "DaemonSet"}, diff --git a/pkg/render/render_test.go b/pkg/render/render_test.go index 32fc395d99..b1c347e2da 100644 --- a/pkg/render/render_test.go +++ b/pkg/render/render_test.go @@ -197,6 +197,7 @@ var _ = Describe("Rendering tests", func() { // For this scenario, we expect the basic resources // created by the controller without any optional ones. These include: // - 6 node resources (ServiceAccount, ClusterRole, Binding, ConfigMap, DaemonSet, PodSecurityPolicy) + // - 3 calico-cni-plugin resources (ServiceAccount, ClusterRole, CLusterRoleBinding) // - 4 secrets for Typha comms (2 in operator namespace and 2 in calico namespace) // - 1 ConfigMap for Typha comms (1 in calico namespace) // - 7 typha resources (Service, SA, Role, Binding, Deployment, PodDisruptionBudget, PodSecurityPolicy) @@ -204,7 +205,7 @@ var _ = Describe("Rendering tests", func() { // - 1 namespace c, err := allCalicoComponents(k8sServiceEp, instance, nil, nil, nil, typhaNodeTLS, nil, nil, nil, false, "", dns.DefaultClusterDomain, 9094, 0, nil, nil) Expect(err).To(BeNil(), "Expected Calico to create successfully %s", err) - Expect(componentCount(c)).To(Equal(6 + 4 + 1 + 7 + 6 + 1)) + Expect(componentCount(c)).To(Equal(6 + 3 + 4 + 1 + 7 + 6 + 1)) Expect(getAKSWindowsUpgraderComponentCount(c)).To(Equal(0)) }) @@ -218,7 +219,7 @@ var _ = Describe("Rendering tests", func() { instance.NodeMetricsPort = &nodeMetricsPort c, err := allCalicoComponents(k8sServiceEp, instance, nil, nil, nil, typhaNodeTLS, nil, nil, nil, false, "", dns.DefaultClusterDomain, 9094, 0, nil, nil) Expect(err).To(BeNil(), "Expected Calico to create successfully %s", err) - Expect(componentCount(c)).To(Equal((6 + 4 + 1 + 7 + 6 + 1) + 1 + 1)) + Expect(componentCount(c)).To(Equal((6 + 3 + 4 + 1 + 7 + 6 + 1) + 1 + 1)) Expect(getAKSWindowsUpgraderComponentCount(c)).To(Equal(0)) }) @@ -257,6 +258,9 @@ var _ = Describe("Rendering tests", func() { {common.NodeDaemonSetName, common.CalicoNamespace, "", "v1", "ServiceAccount"}, {common.NodeDaemonSetName, "", "rbac.authorization.k8s.io", "v1", "ClusterRole"}, {common.NodeDaemonSetName, "", "rbac.authorization.k8s.io", "v1", "ClusterRoleBinding"}, + {"calico-cni-plugin", common.CalicoNamespace, "", "v1", "ServiceAccount"}, + {"calico-cni-plugin", "", "rbac.authorization.k8s.io", "v1", "ClusterRole"}, + {"calico-cni-plugin", "", "rbac.authorization.k8s.io", "v1", "ClusterRoleBinding"}, {"calico-node-metrics", common.CalicoNamespace, "", "v1", "Service"}, {"cni-config", common.CalicoNamespace, "", "v1", "ConfigMap"}, {common.NodeDaemonSetName, "", "policy", "v1beta1", "PodSecurityPolicy"},