ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

fix(ci): grant ci-deployer Endpoints write (admin role excludes it)
ci / tc_portal (push) Has been skipped
Details
ci / tc_operator (push) Has been skipped
Details
ci / tc_website (push) Has been skipped
Details
ci / build_portal (push) Has been skipped
Details
ci / changes (push) Successful in 4s
Details
ci / tc_booking (push) Has been skipped
Details
ci / tc_platform_api (push) Has been skipped
Details
ci / test_platform_api (push) Has been skipped
Details
ci / build_booking (push) Has been skipped
Details
ci / build_operator (push) Has been skipped
Details
ci / build_platform_api (push) Has been skipped
Details
ci / deploy (push) Successful in 7s
Details

Browse Source 
The deploy failed creating the selectorless stalwart-http Service's
Endpoints: since the CVE-2021-25740 hardening the namespaced 'admin' role
no longer grants write on legacy Endpoints. Explicit endpoints +
endpointslices rules on the ci-deployer role (already applied live);
manifest comment touch retriggers the infra apply.
This commit is contained in:
Ronni Baslund
2026-06-11 08:08:42 +02:00
parent 88ac5e620c
commit 716d854b3d
2 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infrastructure/production/fleet/ci/ci-deployer.yaml
+9
View File
@@ -48,6 +48,15 @@ rules:
- apiGroups: ["traefik.io"]
resources: ["middlewares"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# 'admin' stopped granting WRITE on legacy Endpoints (CVE-2021-25740
# hardening), but the selectorless stalwart-http Service needs its
# Endpoints applied by the pipeline. EndpointSlice included for parity.
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding