[RS-2296] Updated rbac for idc - list available for cm, secrets and w…

…ebhooks. (#3758) * updated rbac for idc - list available for cm, secrets and webhooks. * copyright. * test to reflect the changes made. * copyright again. * after make gen-versions.
tigera · Feb 12, 2025 · fac2b23 · fac2b23
1 parent 57cdab7
commit fac2b23
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 6 deletions.
diff --git a/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml b/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml
@@ -307,6 +307,13 @@ spec:
                   FrontendMap should be large enough to hold an entry for each nodeport,
                   external IP and each port in each service.
                 type: integer
+              bpfMapSizePerCpuConntrack:
+                description: |-
+                  BPFMapSizePerCPUConntrack determines the size of conntrack map based on the number of CPUs. If set to a
+                  non-zero value, overrides BPFMapSizeConntrack with `BPFMapSizePerCPUConntrack * (Number of CPUs)`.
+                  This map must be large enough to hold an entry for each active connection.  Warning: changing the size of the
+                  conntrack map can cause disruption.
+                type: integer
               bpfMapSizeRoute:
                 description: |-
                   BPFMapSizeRoute sets the size for the routes map.  The routes map should be large enough

diff --git a/pkg/render/intrusion_detection.go b/pkg/render/intrusion_detection.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2019-2024 Tigera, Inc. All rights reserved.
+// Copyright (c) 2019-2025 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -315,12 +315,12 @@ func (c *intrusionDetectionComponent) intrusionDetectionClusterRole() *rbacv1.Cl
 		{
 			APIGroups: []string{""},
 			Resources: []string{"secrets", "configmaps"},
-			Verbs:     []string{"get", "watch"},
+			Verbs:     []string{"get", "list", "watch"},
 		},
 		{
 			APIGroups: []string{"crd.projectcalico.org"},
 			Resources: []string{"securityeventwebhooks"},
-			Verbs:     []string{"get", "watch", "update"},
+			Verbs:     []string{"get", "list", "watch", "update"},
 		},
 		{
 			APIGroups: []string{"crd.projectcalico.org"},

diff --git a/pkg/render/intrusion_detection_test.go b/pkg/render/intrusion_detection_test.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2019-2024 Tigera, Inc. All rights reserved.
+// Copyright (c) 2019-2025 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -205,12 +205,12 @@ var _ = Describe("Intrusion Detection rendering tests", func() {
 			rbacv1.PolicyRule{
 				APIGroups: []string{""},
 				Resources: []string{"secrets", "configmaps"},
-				Verbs:     []string{"get", "watch"},
+				Verbs:     []string{"get", "list", "watch"},
 			},
 			rbacv1.PolicyRule{
 				APIGroups: []string{"crd.projectcalico.org"},
 				Resources: []string{"securityeventwebhooks"},
-				Verbs:     []string{"get", "watch", "update"},
+				Verbs:     []string{"get", "list", "watch", "update"},
 			},
 			rbacv1.PolicyRule{
 				APIGroups: []string{"crd.projectcalico.org"},