From f6ddf84ee69714ea99c01759ef73e4c8f19eae66 Mon Sep 17 00:00:00 2001 From: Patrick Zhan Date: Tue, 17 Mar 2026 12:18:06 -0700 Subject: [PATCH] Add HEP-related RBAC for policy recommendation The host endpoint policy recommendation engine needs access to stagedglobalnetworkpolicies, globalnetworkpolicies, and hostendpoints resources (including their tier-scoped variants) to create and manage recommended policies for non-cluster hosts. Co-Authored-By: Claude Opus 4.6 (1M context) --- pkg/render/policyrecommendation.go | 5 +++++ pkg/render/policyrecommendation_test.go | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/pkg/render/policyrecommendation.go b/pkg/render/policyrecommendation.go index 95476eb934..c5532df965 100644 --- a/pkg/render/policyrecommendation.go +++ b/pkg/render/policyrecommendation.go @@ -155,7 +155,12 @@ func (pr *policyRecommendationComponent) clusterRole() client.Object { "tier.stagednetworkpolicies", "networkpolicies", "tier.networkpolicies", + "stagedglobalnetworkpolicies", + "tier.stagedglobalnetworkpolicies", + "globalnetworkpolicies", + "tier.globalnetworkpolicies", "globalnetworksets", + "hostendpoints", }, Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, }, diff --git a/pkg/render/policyrecommendation_test.go b/pkg/render/policyrecommendation_test.go index 6b40abe8eb..ebc2331c31 100644 --- a/pkg/render/policyrecommendation_test.go +++ b/pkg/render/policyrecommendation_test.go @@ -151,7 +151,12 @@ var _ = Describe("Policy recommendation rendering tests", func() { "tier.stagednetworkpolicies", "networkpolicies", "tier.networkpolicies", + "stagedglobalnetworkpolicies", + "tier.stagedglobalnetworkpolicies", + "globalnetworkpolicies", + "tier.globalnetworkpolicies", "globalnetworksets", + "hostendpoints", }, Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, },