From 853c43737d7dc558648ba63171fcc9c582242278 Mon Sep 17 00:00:00 2001
From: Sean Malloy <sean.malloy@kohls.com>
Date: Fri, 7 Feb 2020 22:03:14 -0600
Subject: [PATCH 1/2] Update ClusterRole To Allow Creating Events

The descheduler creates a k8s event for each pod that it evicts. When
the code to create events was added the RBAC ClusterRole was not updated
to allow creating events. Users would see the below error in the
descheduler log when it tried to create an event.

"system:serviceaccount:kube-system:descheduler-sa" cannot create resource
"events" in API group "" in the namespace "xxxx-production"' (will not retry!)'

This change fixes this error by updating the ClusterRole to allow
creation of k8s events.
---
 kubernetes/rbac.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kubernetes/rbac.yaml b/kubernetes/rbac.yaml
index 89548b252..7411c4fda 100644
--- a/kubernetes/rbac.yaml
+++ b/kubernetes/rbac.yaml
@@ -5,6 +5,9 @@ metadata:
   name: descheduler-cluster-role
   namespace: kube-system
 rules:
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create"]
 - apiGroups: [""]
   resources: ["nodes"]
   verbs: ["get", "watch", "list"]

From 6dd91b6a2289750b62bf535799887325ab22adb6 Mon Sep 17 00:00:00 2001
From: Sean Malloy <sean.malloy@kohls.com>
Date: Sun, 9 Feb 2020 00:17:20 -0600
Subject: [PATCH 2/2] Update ClusterRole To Allow Updating Events

Based on feedback during code review it was recommended to allow
updating events in addition to creating events. Because event proceeding
logic on the client side sometimes updates existing events instead of
creating a new one.
---
 kubernetes/rbac.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kubernetes/rbac.yaml b/kubernetes/rbac.yaml
index 7411c4fda..1432caab4 100644
--- a/kubernetes/rbac.yaml
+++ b/kubernetes/rbac.yaml
@@ -7,7 +7,7 @@ metadata:
 rules:
 - apiGroups: [""]
   resources: ["events"]
-  verbs: ["create"]
+  verbs: ["create", "update"]
 - apiGroups: [""]
   resources: ["nodes"]
   verbs: ["get", "watch", "list"]