Add apiextensions.k8s.io and dapr.io RBAC permissions to dynamic-rp service account#11350
Merged
lakshmimsft merged 2 commits intomainfrom Mar 3, 2026
Merged
Add apiextensions.k8s.io and dapr.io RBAC permissions to dynamic-rp service account#11350lakshmimsft merged 2 commits intomainfrom
lakshmimsft merged 2 commits intomainfrom
Conversation
Copilot
AI
changed the title
[WIP] Fix insufficient permissions for dynamic-rp service account
Add apiextensions.k8s.io and dapr.io RBAC permissions to dynamic-rp service account
Mar 2, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Helm chart RBAC for the dynamic-rp service account to support Terraform-based deployment of Dapr recipes by granting access to (1) Kubernetes CRDs for GVK discovery and (2) Dapr custom resources for lifecycle management.
Changes:
- Add
apiextensions.k8s.io/customresourcedefinitionsRBAC verbs (get,list,watch) to allow Terraform’s Kubernetes provider to resolve GVKs. - Add
dapr.ioRBAC for core Dapr resources (components,subscriptions,configurations,resiliencies) with CRUD + watch verbs.
kachawla
reviewed
Mar 2, 2026
kachawla
temporarily deployed
to
external-contributor-approval
GitHub Actions
Inactive
kachawla
approved these changes
Mar 2, 2026
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #11350 +/- ##
=======================================
Coverage 51.09% 51.10%
=======================================
Files 699 699
Lines 44067 44067
=======================================
+ Hits 22517 22521 +4
+ Misses 19402 19400 -2
+ Partials 2148 2146 -2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…lusterRole The dynamic-rp service account was missing permissions needed by the Terraform kubernetes provider when deploying Dapr Terraform Recipes: 1. apiextensions.k8s.io/customresourcedefinitions (get, list, watch) - needed to look up GVKs among available CRDs 2. dapr.io resources: components, subscriptions, configurations, resiliencies (full CRUD) - needed to manage Dapr resources Fixes #8685 Co-authored-by: willtsai <28876888+willtsai@users.noreply.github.com>
Co-authored-by: kachawla <74574173+kachawla@users.noreply.github.com>
lakshmimsft
force-pushed
the
copilot/fix-dynamic-rp-permissions
branch
from
3a3669e to
6000d4a
Compare
lakshmimsft
temporarily deployed
to
external-contributor-approval
GitHub Actions
Inactive
Radius functional test overviewClick here to see the test run details
Test Status⌛ Building Radius and pushing container images for functional tests... |
lakshmimsft
approved these changes
Mar 3, 2026
DariuszPorowski
pushed a commit
that referenced
this pull request
Mar 3, 2026
…ervice account (#11350) # Description The `dynamic-rp` service account lacks RBAC permissions required when deploying Dapr Recipes. Two failures occur: 1. Cannot list CRDs (`apiextensions.k8s.io`) to resolve GVKs for custom resources 2. Cannot manage Dapr resources (`dapr.io`) in target namespaces Adds two rule blocks to the `dynamic-rp` ClusterRole: - **`apiextensions.k8s.io/customresourcedefinitions`** — `get`, `list`, `watch` (needed to look up GVKs among available CRDs) - **`dapr.io`** — `components`, `subscriptions`, `configurations`, `resiliencies` with full CRUD (matches the existing `applications-rp` pattern for Dapr resource management) ## Type of change - This pull request fixes a bug in Radius and has an approved issue (issue link required). ## Contributor checklist Please verify that the PR meets the following requirements, where applicable: <!-- This checklist uses "TaskRadio" comments to make certain options mutually exclusive. See: https://github.com/mheap/require-checklist-action?tab=readme-ov-file#radio-groups For details on how this works and why it's required. --> - An overview of proposed schema changes is included in a linked GitHub issue. - [ ] Yes <!-- TaskRadio schema --> - [x] Not applicable <!-- TaskRadio schema --> - A design document PR is created in the [design-notes repository](https://github.com/radius-project/design-notes/), if new APIs are being introduced. - [ ] Yes <!-- TaskRadio design-pr --> - [x] Not applicable <!-- TaskRadio design-pr --> - The design document has been reviewed and approved by Radius maintainers/approvers. - [ ] Yes <!-- TaskRadio design-review --> - [x] Not applicable <!-- TaskRadio design-review --> - A PR for the [samples repository](https://github.com/radius-project/samples) is created, if existing samples are affected by the changes in this PR. - [ ] Yes <!-- TaskRadio samples-pr --> - [x] Not applicable <!-- TaskRadio samples-pr --> - A PR for the [documentation repository](https://github.com/radius-project/docs) is created, if the changes in this PR affect the documentation or any user facing updates are made. - [ ] Yes <!-- TaskRadio docs-pr --> - [x] Not applicable <!-- TaskRadio docs-pr --> - A PR for the [recipes repository](https://github.com/radius-project/recipes) is created, if existing recipes are affected by the changes in this PR. - [ ] Yes <!-- TaskRadio recipes-pr --> - [x] Not applicable <!-- TaskRadio recipes-pr --> <!-- START COPILOT CODING AGENT TIPS --> --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: willtsai <28876888+willtsai@users.noreply.github.com> Co-authored-by: kachawla <74574173+kachawla@users.noreply.github.com> (cherry picked from commit 0980cf9) Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>
12 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The
dynamic-rpservice account lacks RBAC permissions required when deploying Dapr Recipes. Two failures occur:apiextensions.k8s.io) to resolve GVKs for custom resourcesdapr.io) in target namespacesAdds two rule blocks to the
dynamic-rpClusterRole:apiextensions.k8s.io/customresourcedefinitions—get,list,watch(needed to look up GVKs among available CRDs)dapr.io—components,subscriptions,configurations,resiliencieswith full CRUD (matches the existingapplications-rppattern for Dapr resource management)Type of change
Contributor checklist
Please verify that the PR meets the following requirements, where applicable:
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.