Skip to content

Use events.k8s.io in registry-api Role#5340

Merged
rdimitrov merged 1 commit into
mainfrom
fix/5339-registry-api-events-rbac
May 20, 2026
Merged

Use events.k8s.io in registry-api Role#5340
rdimitrov merged 1 commit into
mainfrom
fix/5339-registry-api-events-rbac

Conversation

@rdimitrov
Copy link
Copy Markdown
Member

@rdimitrov rdimitrov commented May 20, 2026

Summary

  • After Fix operator RBAC for event recording #5243 the operator's ClusterRole only grants events.k8s.io/events, but the per-MCPRegistry Role builder still asked for core ""/events. RBAC escalation prevention then blocked the operator from creating that Role, leaving every MCPRegistry stuck in phase: Failed with reason: RBACFailed.
  • Switch the registry-api Role rule to events.k8s.io/events so it matches the operator's own grant.

Fixes #5339

Test plan

  • Unit tests (go test ./cmd/thv-operator/pkg/registryapi/...)
  • Manual testing: kind cluster, A/B verified — unpatched origin/main reproduces the exact RBACFailed error from the issue; in-place helm upgrade to the patched image reconciles cleanly (Role's events rule becomes apiGroups: ["events.k8s.io"], MCPRegistry advances past RBAC).

🤖 Generated with Claude Code

@rdimitrov @claude
Use events.k8s.io in registry-api Role
0583dbc 
After #5243, the operator's ClusterRole grants events only in the
`events.k8s.io` API group, but the per-MCPRegistry Role builder still
requested core `""/events`. Kubernetes RBAC escalation prevention
forbids the operator from granting a permission it does not itself
hold, so every MCPRegistry got stuck in phase `Failed`.

Switch the registry-api Role rule to `events.k8s.io/events` to match
the operator's own grant and the controller-runtime events API.

Fixes #5339

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added the size/XS Extra small PR: < 100 lines changed label May 20, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented May 20, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.36%. Comparing base (f6d4805) to head (0583dbc).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5340      +/-   ##
==========================================
- Coverage   68.42%   68.36%   -0.06%     
==========================================
  Files         620      620              
  Lines       63274    63274              
==========================================
- Hits        43294    43257      -37     
- Misses      16753    16790      +37     
  Partials     3227     3227

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@rdimitrov rdimitrov merged commit d3d9a02 into main May 20, 2026
45 checks passed
@rdimitrov rdimitrov deleted the fix/5339-registry-api-events-rbac branch May 20, 2026 09:10
@claude claude Bot mentioned this pull request May 21, 2026
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhrozek jhrozek jhrozek approved these changes

@ChrisJBurns ChrisJBurns Awaiting requested review from ChrisJBurns ChrisJBurns is a code owner

@yrobla yrobla Awaiting requested review from yrobla yrobla is a code owner

@JAORMX JAORMX Awaiting requested review from JAORMX JAORMX is a code owner

@jerm-dro jerm-dro Awaiting requested review from jerm-dro jerm-dro is a code owner

Assignees

No one assigned

Labels

size/XS Extra small PR: < 100 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] MCPRegistry stuck in RBACFailed on operator 0.28.0 — registry-api Role still grants core "events" verb that ClusterRole no longer holds

2 participants

@rdimitrov @jhrozek