From dda0adaf13642df03b33f76e6cda79775822d625 Mon Sep 17 00:00:00 2001
From: Bharat Kunwar <brtknr@bath.edu>
Date: Wed, 18 Dec 2019 17:13:25 +0000
Subject: [PATCH] [k8s] Fix RBAC for OCCM v1.17.0

At present, the openstack cloud controller manager tag v1.17.0 is broken
due to missing RBAC policy for leases. This patch addressed this
shortcoming and thereby allowing the nodes in the cluster to be
untainted.

story: 2007031
task: 37838

Change-Id: Ide46d90dd30b41edaeaa8632205cc23b9ba7f162
Signed-off-by: Bharat Kunwar <brtknr@bath.edu>
(cherry picked from commit b2393220c63f048c6dc1162f3e961eeef7a8445e)
---
 .../fragments/kube-apiserver-to-kubelet-role.sh           | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh b/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh
index c502a11d44..9f67a45886 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh
@@ -241,6 +241,14 @@ items:
     - list
     - get
     - watch
+  - apiGroups:
+    - "coordination.k8s.io"
+    resources:
+    - leases
+    verbs:
+    - get
+    - create
+    - update
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata: