fix(kubernetes): allow pod exec creation in helmchart cluster role

fengcone · fengcone · commit 625535146e12 · 2026-03-24T21:48:12.000+08:00
diff --git a/kubernetes/README-ZH.md b/kubernetes/README-ZH.md
@@ -29,7 +29,7 @@ Pool 自定义资源维护一个预热的计算资源池，以实现快速沙箱
 - **池容量限制**：通过池范围的最小和最大限制来控制总体资源消耗。
 - **回收策略 (Recycle Policies)**：支持不同的 Pod 回收策略：
   - **Delete (默认)**：Pod 在返回池时会被删除并根据模板重新创建，确保环境绝对纯净。
-  - **Restart**：通过向所有容器的 PID 1 发送 SIGTERM 信号优雅终止进程，并依赖 Kubernetes 的 `restartPolicy` 触发重启。这种方式比 `Delete` 更快，但要求 `PodTemplateSpec` 中的 `restartPolicy` 设置为 `Always` 或 `OnFailure`。
+  - **Restart**：通过向所有容器的 PID 1 发送 SIGTERM 信号优雅终止进程，并依赖 Kubernetes 的 `restartPolicy` 触发重启。这种方式比 `Delete` 更快，但要求 `PodTemplateSpec` 中的 `restartPolicy` 设置为 `Always`。
 - **自动扩展**：基于当前需求和缓冲区设置进行动态资源分配和释放。
 - **实时状态监控**：显示总数、已分配、可用以及正在重启中的 Pod 数量。
 
diff --git a/kubernetes/README.md b/kubernetes/README.md
@@ -29,7 +29,7 @@ The Pool custom resource maintains a pool of pre-warmed compute resources to ena
 - **Pool Capacity Limits**: Overall resource consumption control with pool-wide minimum and maximum limits.
 - **Recycle Policies**: Support for different pod recycling strategies:
   - **Delete (Default)**: Pods are deleted and recreated from the template when returned to the pool, ensuring a completely clean environment.
-  - **Restart**: PID 1 in all containers is gracefully terminated (SIGTERM), and the Kubernetes `restartPolicy` triggers a restart. This is faster than `Delete` but requires the `restartPolicy` in `PodTemplateSpec` to be set to `Always` or `OnFailure`.
+  - **Restart**: PID 1 in all containers is gracefully terminated (SIGTERM), and the Kubernetes `restartPolicy` triggers a restart. This is faster than `Delete` but requires the `restartPolicy` in `PodTemplateSpec` to be set to `Always`.
 - **Automatic Scaling**: Dynamic resource allocation and deallocation based on current demand and buffer settings.
 - **Real-time Status**: Monitoring of total, allocated, available, and restarting pods.
 
diff --git a/kubernetes/charts/opensandbox-controller/templates/clusterrole.yaml b/kubernetes/charts/opensandbox-controller/templates/clusterrole.yaml
@@ -73,6 +73,12 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
 - apiGroups:
   - sandbox.opensandbox.io
   resources:
