From 8eba7e23b922bf4eba05677bfd2c83fa308121b9 Mon Sep 17 00:00:00 2001
From: Joseph Hanson <joe@veri.dev>
Date: Sat, 4 Jan 2025 20:56:34 -0600
Subject: [PATCH] add pdb policy rbac

---
 .../descheduler/app/kustomization.yaml        |  1 +
 .../kube-system/descheduler/app/rbac.yaml     | 21 +++++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 kubernetes/apps/kube-system/descheduler/app/rbac.yaml

diff --git a/kubernetes/apps/kube-system/descheduler/app/kustomization.yaml b/kubernetes/apps/kube-system/descheduler/app/kustomization.yaml
index 17cbc72b..adb2a4f6 100644
--- a/kubernetes/apps/kube-system/descheduler/app/kustomization.yaml
+++ b/kubernetes/apps/kube-system/descheduler/app/kustomization.yaml
@@ -4,3 +4,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./helmrelease.yaml
+  - ./rbac.yaml
diff --git a/kubernetes/apps/kube-system/descheduler/app/rbac.yaml b/kubernetes/apps/kube-system/descheduler/app/rbac.yaml
new file mode 100644
index 00000000..e993f4f9
--- /dev/null
+++ b/kubernetes/apps/kube-system/descheduler/app/rbac.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: descheduler-pdb-reader
+rules:
+- apiGroups: ["policy"]
+  resources: ["poddisruptionbudgets"]
+  verbs: ["list", "get", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: descheduler-pdb-reader
+subjects:
+- kind: ServiceAccount
+  name: descheduler
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: descheduler-pdb-reader
+  apiGroup: rbac.authorization.k8s.io