Add coordination access to controller cluster role

infrastructure/hydra/truenas-csi/controller-cluster-role.yaml

@@ -136,3 +136,15 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - create
+  - update
+  - patch
+  - delete
+  - list
+  - watch

infrastructure/hydra/truenas-csi/kuztomization.yaml

@@ -4,16 +4,16 @@ metadata:
   name: truenas-csi
   namespace: truenas-csi
 resources:
-- CSIDriver.yaml
-- nfs-storage-class.yaml
-- controller-deployment.yaml
-- controller-binding.yaml
-- node-binding.yaml
+- node-cluster-role.yaml
 - config.yaml
+- nfs-storage-class.yaml
 - iscsi-storage-class.yaml
 - namespace.yaml
 - controller-service-account.yaml
 - controller-cluster-role.yaml
-- node-service-account.yaml
-- node-cluster-role.yaml
+- node-binding.yaml
 - node-deamonset.yaml
+- CSIDriver.yaml
+- controller-deployment.yaml
+- controller-binding.yaml
+- node-service-account.yaml

pkg/truenas/rbac.go

@@ -25,6 +25,7 @@ func controllerClusterRole() rbac.ClusterRole {
 		kube.PolicyRule(kube.APIGroupSnapshot, kube.ResourceVolumeSnapshotContents, kube.VerbsAll()),
 		kube.PolicyRule(kube.APIGroupSnapshot, kube.ResourceVolumeSnapshotContentsStatus, kube.VerbsMutate()),
 		kube.PolicyRule(kube.APIGroupSnapshot, kube.ResourceVolumeSnapshotClases, kube.VerbsRead()),
+		kube.PolicyRule(kube.APIGroupCoordination, kube.ResourceLeases, kube.VerbsAll()),
 	}
 	return kube.ClusterRole(root.TrueNAS_CSI+"-controller-role", rules)
 }