Skip to content

helm: allow multicluster-services installCRDs to update CRDs#44224

Merged
MrFreezeex merged 1 commit intocilium:mainfrom
Preisschild:fix/helm-mcs-clusterrole
Feb 6, 2026
Merged

helm: allow multicluster-services installCRDs to update CRDs#44224
MrFreezeex merged 1 commit intocilium:mainfrom
Preisschild:fix/helm-mcs-clusterrole

Conversation

@Preisschild
Copy link
Copy Markdown
Contributor

@Preisschild Preisschild commented Feb 6, 2026
edited by MrFreezeex
Loading

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.

No permissions, its (@MrFreezeex)

  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!

Previously cilium-operator fails to start if MCS/installCRDs is enabled because it does not have permissions to update the CRD with this log message:

level=error msg="Unable to update CRD" module=operator.operator-controlplane.leader-lifecycle.create-crds name=serviceimports.multicluster.x-k8s.io error="customresourcedefinitions.apiextensions.k8s.io \"serviceimports.multicluster.x-k8s.io\" is forbidden: User \"system:serviceaccount:kube-system:cilium-operator\" cannot update resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope"

This patch adds the necessary permissions to cilium-operator if you have mcs/installCRDs enabled

Fixes: #44210
Fixes: 3874013 ("clustermesh: add config for auto installing MCS-API CRDs")

clustermesh: fix CRD update permission for MCS-API CRD install

@Preisschild
helm: allow multicluster-services installCRDs to update CRDs
b80d5f9 
Previously cilium-operator fails to start if MCS/installCRDs is enabled
because it does not have permissions to update the CRD with this log
message:

level=error msg="Unable to update CRD"
module=operator.operator-controlplane.leader-lifecycle.create-crds
name=serviceimports.multicluster.x-k8s.io
error="customresourcedefinitions.apiextensions.k8s.io
\"serviceimports.multicluster.x-k8s.io\" is forbidden: User
\"system:serviceaccount:kube-system:cilium-operator\" cannot update
resource \"customresourcedefinitions\" in API group
\"apiextensions.k8s.io\" at the cluster scope"

This patch adds the necessary permissions to cilium-operator if you have
mcs/installCRDs enabled

Fixes: cilium#44210
Fixes: 3874013 ("clustermesh: add config for auto installing
MCS-API CRDs")

Signed-off-by: Florian Ströger <stroeger@youniqx.com>
@Preisschild Preisschild requested a review from a team as a code owner February 6, 2026 09:52
@Preisschild Preisschild requested a review from Artyop February 6, 2026 09:53
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 6, 2026
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Feb 6, 2026
@MrFreezeex
Copy link
Copy Markdown
Member

MrFreezeex commented Feb 6, 2026

/test

@MrFreezeex MrFreezeex added release-note/bug This PR fixes an issue in a previous release of Cilium. area/clustermesh Relates to multi-cluster routing functionality in Cilium. area/helm Impacts helm charts and user deployment experience and removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Feb 6, 2026
MrFreezeex
MrFreezeex approved these changes Feb 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@MrFreezeex MrFreezeex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much for the bug report and fixing this! This looks perfect 🙏

@MrFreezeex MrFreezeex added the needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch label Feb 6, 2026
@Artyop
Copy link
Copy Markdown
Contributor

Artyop commented Feb 6, 2026

/test

@Preisschild
Copy link
Copy Markdown
Contributor Author

Preisschild commented Feb 6, 2026

Thank you so much for the bug report and fixing this! This looks perfect 🙏

Absolutely. Thanks for making the MCS integration in the first place. I think its really cool.

@MrFreezeex MrFreezeex enabled auto-merge February 6, 2026 10:26
@Preisschild
Copy link
Copy Markdown
Contributor Author

Preisschild commented Feb 6, 2026

is the [sig-network] NoSNAT test flaky? I dont think its related to my commit

@MrFreezeex
Copy link
Copy Markdown
Member

MrFreezeex commented Feb 6, 2026

is the [sig-network] NoSNAT test flaky? I dont think its related to my commit

I am not entirely sure TBH but it's marked as not required so it probably is a bit flaky indeed 😅

@MrFreezeex MrFreezeex added this pull request to the merge queue Feb 6, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 6, 2026
Merged via the queue into cilium:main with commit 3953c12 Feb 6, 2026
80 of 82 checks passed
@Artyop Artyop mentioned this pull request Feb 10, 2026
Merged
6 tasks
@Artyop Artyop added backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. and removed needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Feb 10, 2026
@github-actions github-actions bot added backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. and removed backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. labels Feb 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MrFreezeex MrFreezeex MrFreezeex approved these changes

@Artyop Artyop Artyop approved these changes

Assignees

No one assigned

Labels

area/clustermesh Relates to multi-cluster routing functionality in Cilium. area/helm Impacts helm charts and user deployment experience backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cilium-operator fails to start when trying to update MultiCluster Services CRDs

3 participants

@Preisschild @MrFreezeex @Artyop