fix: grant server-creator events permission for boot diagnostics#465
Merged
fix: grant server-creator events permission for boot diagnostics#465
Conversation
api PR 5stackgg/api#166 (commit 5stackgg/api@cde4e55, merged 2026-04-23) introduced LoggingService.getEventsForObject() which calls listNamespacedEvent for boot diagnostics, but the server-creator role was never granted the events permission, producing 403s in production. Closes #463
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
events(get/list/watch) to the namespacedserver-creator-roleRoot cause
api PR 5stackgg/api#166 (commit
cde4e55, merged 2026-04-23) introducedsrc/k8s/logging/bootDiagnostics.tsand a newLoggingService.getEventsForObject()that callscoreApi.listNamespacedEvent(...). The new code path requires theeventsresource permission, but RBAC wasn't updated alongside it — producing 403s in production:Verified via
git show 5395a63:base/api/rbac/role.yamland the #424 diff thateventswas never previously in the role — this is a missing-grant bug from #166, not a regression from RBAC scoping.Test plan
Failed to list Pod events for ...403 warningskubectl auth can-i list events --as=system:serviceaccount:5stack:server-creator -n 5stackreturnsyesCloses #463