[node operator] RBAC: add missing permissions

Signed-off-by: Malte Poll <mp@edgeless.systems>

operators/constellation-node-operator/config/rbac/role.yaml

@@ -5,6 +5,24 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes/status
+  verbs:
+  - get
 - apiGroups:
   - apps
   resources:
@@ -17,11 +35,17 @@ rules:
   - update
   - watch
 - apiGroups:
-  - apps
+  - nodemaintenance.medik8s.io
   resources:
-  - nodeimage/status
+  - nodemaintenances
   verbs:
+  - create
+  - delete
   - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - update.edgeless.systems
   resources:

operators/constellation-node-operator/controllers/nodeimage_controller.go

@@ -63,6 +63,9 @@ func NewNodeImageReconciler(nodeReplacer nodeReplacer, client client.Client, sch
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=nodeimages,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=nodeimages/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=nodeimages/finalizers,verbs=update
+//+kubebuilder:rbac:groups=nodemaintenance.medik8s.io,resources=nodemaintenances,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",resources=nodes/status,verbs=get
 
 // Reconcile replaces outdated nodes (using an old image) with new nodes (using a new image) as specified in the NodeImage spec.
 func (r *NodeImageReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {

operators/constellation-node-operator/controllers/pendingnode_controller.go

@@ -51,6 +51,8 @@ func NewPendingNodeReconciler(nodeStateGetter nodeStateGetter, client client.Cli
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=pendingnodes,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=pendingnodes/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=pendingnodes/finalizers,verbs=update
+//+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",resources=nodes/status,verbs=get
 
 // Reconcile observes the state of a pending node that is either trying to join the cluster or is leaving the cluster (waiting to be destroyed).
 // If the node is trying to join the cluster and fails to join within the deadline referenced in the PendingNode spec, the node is deleted.

operators/constellation-node-operator/controllers/scalinggroup_controller.go

@@ -49,7 +49,7 @@ func NewScalingGroupReconciler(scalingGroupUpdater scalingGroupUpdater, client c
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=scalinggroups/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=scalinggroups/finalizers,verbs=update
 //+kubebuilder:rbac:groups=update.edgeless.systems,resources=nodeimage,verbs=get;list;watch
-//+kubebuilder:rbac:groups=apps,resources=nodeimage/status,verbs=get
+//+kubebuilder:rbac:groups=update.edgeless.systems,resources=nodeimages/status,verbs=get
 
 // Reconcile reads the latest node image from the referenced NodeImage spec and updates the scaling group to match.
 func (r *ScalingGroupReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {