jordan/rdev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ci): add watch permission for Woodpecker CI deployments
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details

Browse Source 
Woodpecker CI was timing out when watching deployment rollout status
due to missing RBAC permissions. The deployments were succeeding but
CI couldn't verify completion.

Changes:
- Add 'watch' verb to woodpecker-deployer Role
- Add threesix/default service account to RoleBinding
- Consolidate woodpecker-deployer RBAC into base/rbac.yaml

This resolves the "Failed to watch: deployments.apps is forbidden"
errors in CI logs while maintaining successful deployment rollouts.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
jordan 2026-02-09 01:14:00 -07:00
parent 88e4eb7f3f
commit 70143fa1cd
1 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
deployments/k8s/base/rbac.yaml
View File

@ -50,3 +50,38 @@ roleRef:
kind: Role kind: Role
name: rdev-api name: rdev-api
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
---
# RBAC for Woodpecker CI to deploy to rdev namespace
# Allows CI service accounts to apply deployment patches and watch rollout status
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: woodpecker-deployer
namespace: rdev
labels:
app.kubernetes.io/name: woodpecker-deployer
app.kubernetes.io/part-of: rdev
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "patch", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: woodpecker-deployer
namespace: rdev
labels:
app.kubernetes.io/name: woodpecker-deployer
app.kubernetes.io/part-of: rdev
subjects:
- kind: ServiceAccount
name: default
namespace: rdev
- kind: ServiceAccount
name: default
namespace: threesix
roleRef:
kind: Role
name: woodpecker-deployer
apiGroup: rbac.authorization.k8s.io