From cd095faeb817a3f7572715315510cefa42c1720d Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 18 Nov 2025 04:38:02 +0000 Subject: [PATCH] fix(rbac): correct API group from stream.streamspace.io to stream.space The RBAC rules were using the incorrect API group 'stream.streamspace.io' instead of 'stream.space' which the CRDs actually use. This caused the API service account to fail when listing templates with a forbidden error. --- chart/templates/rbac.yaml | 12 ++++++------ manifests/kubectl/rbac.yaml | 20 ++++++++++---------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/chart/templates/rbac.yaml b/chart/templates/rbac.yaml index 7fba988a..009dc790 100644 --- a/chart/templates/rbac.yaml +++ b/chart/templates/rbac.yaml @@ -9,13 +9,13 @@ metadata: {{- include "streamspace.controller.labels" . | nindent 4 }} rules: # Sessions and Templates CRDs - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["sessions", "templates"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["sessions/status", "templates/status"] verbs: ["get", "update", "patch"] - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["sessions/finalizers", "templates/finalizers"] verbs: ["update"] @@ -68,13 +68,13 @@ metadata: {{- include "streamspace.api.labels" . | nindent 4 }} rules: # Sessions and Templates CRDs - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["sessions", "templates"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["sessions/status", "templates/status"] verbs: ["get", "update", "patch"] - + # Pods for logs streaming - apiGroups: [""] resources: ["pods", "pods/log"] diff --git a/manifests/kubectl/rbac.yaml b/manifests/kubectl/rbac.yaml index 42454768..f41a9bed 100644 --- a/manifests/kubectl/rbac.yaml +++ b/manifests/kubectl/rbac.yaml @@ -26,34 +26,34 @@ metadata: app.kubernetes.io/component: controller rules: # Session resources - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["sessions"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["sessions/status"] verbs: ["get", "update", "patch"] - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["sessions/finalizers"] verbs: ["update"] # Template resources - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["templates"] verbs: ["get", "list", "watch"] - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["templates/status"] verbs: ["get"] # TemplateRepository resources - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["templaterepositories"] verbs: ["get", "list", "watch"] # Connection resources - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["connections"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["connections/status"] verbs: ["get", "update", "patch"] @@ -160,10 +160,10 @@ metadata: app.kubernetes.io/component: api rules: # Read-only access to CRDs - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["sessions", "templates", "templaterepositories", "connections"] verbs: ["get", "list", "watch"] - - apiGroups: ["stream.streamspace.io"] + - apiGroups: ["stream.space"] resources: ["sessions/status", "templates/status", "connections/status"] verbs: ["get"]