[node operator] RBAC: add missing permissions

Signed-off-by: Malte Poll <mp@edgeless.systems>

operators/constellation-node-operator/controllers/nodeimage_controller.go

@@ -63,6 +63,9 @@ func NewNodeImageReconciler(nodeReplacer nodeReplacer, client client.Client, sch
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=nodeimages,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=nodeimages/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=nodeimages/finalizers,verbs=update
+//+kubebuilder:rbac:groups=nodemaintenance.medik8s.io,resources=nodemaintenances,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",resources=nodes/status,verbs=get
 
 // Reconcile replaces outdated nodes (using an old image) with new nodes (using a new image) as specified in the NodeImage spec.
 func (r *NodeImageReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {

operators/constellation-node-operator/controllers/pendingnode_controller.go

@@ -51,6 +51,8 @@ func NewPendingNodeReconciler(nodeStateGetter nodeStateGetter, client client.Cli
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=pendingnodes,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=pendingnodes/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=pendingnodes/finalizers,verbs=update
+//+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",resources=nodes/status,verbs=get
 
 // Reconcile observes the state of a pending node that is either trying to join the cluster or is leaving the cluster (waiting to be destroyed).
 // If the node is trying to join the cluster and fails to join within the deadline referenced in the PendingNode spec, the node is deleted.

operators/constellation-node-operator/controllers/scalinggroup_controller.go

@@ -49,7 +49,7 @@ func NewScalingGroupReconciler(scalingGroupUpdater scalingGroupUpdater, client c
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=scalinggroups/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=scalinggroups/finalizers,verbs=update
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=nodeimage,verbs=get;list;watch
-//+kubebuilder:rbac:groups=apps,resources=nodeimage/status,verbs=get
+//+kubebuilder:rbac:groups=update.edgeless.systems,resources=nodeimages/status,verbs=get
 
 // Reconcile reads the latest node image from the referenced NodeImage spec and updates the scaling group to match.
 func (r *ScalingGroupReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {