Update cluster-role for cilium to prevent errors in agent startup

[foobaar]

ciliumloadbalancerippools permissions exists in the cilium helm chart for version 1.13.0 https://github.com/cilium/cilium/blob/v1.13.0/install/kubernetes/cilium/templates/cilium-agent/clusterrole.yaml#L71

The agent also needs permissions to read/watch secrets for bgp auth secrets when using CiliumBGPPeeringPolicy with a secret.
Without the permissions for secrets, we see the following warns in the logs when cilium starts up on a node:

is forbidden: User \"system:serviceaccount:kube-system:cilium\" cannot list resource \"secrets\" in API group \"\" in the namespace \"kube-system\"" subsys=k8s
time="2024-08-20T14:18:16Z" level=warning msg="github.com/cilium/cilium/pkg/k8s/resource/resource.go:808: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:kube-system:cilium\" cannot list resource \"secrets\" in API group \"\" in the namespace \"kube-system\"" subsys=klog
time="2024-08-20T14:18:16Z" level=error msg=k8sError error="github.com/cilium/cilium/pkg/k8s/resource/resource.go:808: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:kube-system:cilium\" cannot list resource \"secrets\" in API group \"\" in the namespace \"kube-system\"" subsys=k8s

What type of PR is this?
/kind bug

What this PR does / why we need it:
Gives the cilium agent required permissions to watch loadbalancerippools and secrets

Does this PR introduce a user-facing change?:
NONE

Release Note:

Fix Cilium agent permission can't read loadbalancerippools and secrets

** Cilium Config

apiVersion: v1
data:
  agent-health-port: "9879"
  auto-direct-node-routes: "False"
  bgp-secrets-namespace: kube-system
  bpf-ct-global-any-max: "262144"
  bpf-ct-global-tcp-max: "524288"
  bpf-lb-acceleration: disabled
  bpf-lb-mode: dsr
  bpf-map-dynamic-size-ratio: "0.0025"
  cgroup-root: /run/cilium/cgroupv2
  clean-cilium-bpf-state: "false"
  clean-cilium-state: "false"
  cluster-name: default
  cluster-pool-ipv4-cidr: 10.Y.0.0/14
  cluster-pool-ipv4-mask-size: "25"
  cni-exclusive: "True"
  cni-log-file: /var/run/cilium/cilium-cni.log
  custom-cni-conf: "false"
  debug: "False"
  disable-cnp-status-updates: "True"
  enable-bgp-control-plane: "true"
  enable-bpf-clock-probe: "True"
  enable-bpf-masquerade: "False"
  enable-host-legacy-routing: "True"
  enable-hubble: "true"
  enable-ip-masq-agent: "False"
  enable-ipv4: "True"
  enable-ipv4-masquerade: "True"
  enable-ipv6: "False"
  enable-ipv6-masquerade: "True"
  enable-l2-announcements: "False"
  enable-metrics: "true"
  enable-remote-node-identity: "True"
  enable-well-known-identities: "False"
  etcd-config: |-
    ---
    endpoints:
      - https://10.X.0.36:2379
      - https://10.X.0.37:2379
      - https://10.X.0.38:2379
      - https://10.X.0.39:2379
      - https://10.X.0.40:2379

    # In case you want to use TLS in etcd, uncomment the 'ca-file' line
    # and create a kubernetes secret by following the tutorial in
    # https://cilium.link/etcd-config
    ca-file: "/etc/cilium/certs/ca_cert.crt"

    # In case you want client to server authentication, uncomment the following
    # lines and create a kubernetes secret by following the tutorial in
    # https://cilium.link/etcd-config
    key-file: "/etc/cilium/certs/key.pem"
    cert-file: "/etc/cilium/certs/cert.crt"
  hubble-disable-tls: "false"
  hubble-listen-address: :4244
  hubble-metrics: dns drop tcp flow icmp http
  hubble-metrics-server: :9965
  hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
  hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
  hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
  identity-allocation-mode: kvstore
  ipam: cluster-pool
  ipv4-native-routing-cidr: 10.0.0.0/8
  kube-proxy-replacement: strict
  kvstore: etcd
  kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config"}'
  monitor-aggregation: medium
  monitor-aggregation-flags: all
  operator-api-serve-addr: 127.0.0.1:9234
  operator-prometheus-serve-addr: :9963
  preallocate-bpf-maps: "False"
  prometheus-serve-addr: :9962
  routing-mode: native
  sidecar-istio-proxy-image: cilium/istio_proxy
  write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist

[k8s-ci-robot]

Hi @foobaar. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tico88612]

@foobaar Please add release note block.

Fix Cilium agent permission can't read loadbalancerippools and secrets

/ok-to-test

[tico88612]

Please fix release note block.

Like this:

kubespray/.github/PULL_REQUEST_TEMPLATE.md

Lines 42 to 44 in 2f84567

	```release-note
	```

[tico88612]

/retest

[foobaar]

Updated release note

[tico88612]

/retest

[tico88612]

/lgtm

[tico88612]

/retest-failed

[foobaar]

Hey is there anything additional you want from me on this MR?

[tico88612]

@yankay This PR is about cilium agent fix. Please take a look, thanks.

[VannTen]

AFAICT the secrets permission in the helm charts is only get for secrets, should this be as tight here ?

[foobaar]

I see the following errors in Cilium when i dont give watch/list

When I only have get permissions for secrets, I get the following Warn:

time="2024-09-05T18:09:04Z" level=warning msg="github.com/cilium/cilium/pkg/k8s/resource/resource.go:808: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:kube-system:cilium\" cannot list resource \"secrets\" in API group \"\" in the namespace \"kube-system\"" subsys=klog
time="2024-09-05T18:09:04Z" level=error msg=k8sError error="github.com/cilium/cilium/pkg/k8s/resource/resource.go:808: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:kube-system:cilium\" cannot list resource \"secrets\" in API group \"\" in the namespace \"kube-system\"" subsys=k8s

When I only have get,list permissions for secrets, I get the following Warn:

time="2024-09-05T18:11:59Z" level=error msg=k8sError error="github.com/cilium/cilium/pkg/k8s/resource/resource.go:808: Failed to watch *v1.Secret: unknown (get secrets)" subsys=k8s

[cyclinder]

Hi @foobaar, Did you see the errors in cilium-agent pod? Look at https://github.com/cilium/cilium/blob/c9723a8df3cfa336da1f8457a864105d8349acfe/install/kubernetes/cilium/templates/cilium-agent/clusterrole.yaml#L66, I don't see that these extra list/watch permissions are needed cilium upstream, maybe we need to investigate further. which cilium version you used?

[foobaar]

I did/do see these errors in the cilium-agent pod.
The log messages I posted are from the cilium agent pod without list/watch permissions.
The version of cilium I am using is the current default for kubespray which is: 1.15.4

[foobaar]

I can remove the list/watch secrets from the MR if this is delaying/blocking this MR.
Get secrets and ciliumloadbalancerippools are required by the agent though.

[foobaar]

Sounds good! I will so that. Thanks @cyclinder

[foobaar]

I have updated the MR

[cyclinder]

Hi @foobaar, Do you open this issue to cilium repo?

[foobaar]

I could not submit an issue for the current version of cilium 1.15.4

kubespray/README.md

Line 171 in 15bb5b0

- [cilium](https://github.com/cilium/cilium) v1.15.4

To submit a bug report to cilium, i am required to be on atleast 1.15.7

[foobaar]

I will upgrade and submit an issue to cilium this week

[yankay]

Hi @cyclinder

would you please help to review it

[tico88612]

/retest-failed

[tico88612]

/retest-failed

[foobaar]

Hey! Is there anything else you want from me for this PR?

[tico88612]

/retest

[cyclinder]

/lgtm

[cyclinder]

Please take a look, thanks :)

/cc @yankay

[yankay]

Thanks @foobaar
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cyclinder, foobaar, tico88612, yankay

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [yankay]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment