filestorecsi-lockrelease-cluster-role missing watch verb on nodes causes Failed to watch *v1.Node error

[SergeySelya]

Describe the bug
filestore-lock-release-controller continuously logs the following error every ~45 seconds:

k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.Node: unknown (get nodes)
Root cause
The controller uses a SharedIndexInformer on nodes (see pkg/releaselock/controller.go — field nodeInformer *cache.SharedIndexInformer).

SharedIndexInformer unconditionally requires both list and watch permissions — it uses the ListerWatcher interface which calls both ListWithContext and WatchWithContext internally. There is no code path that skips either operation.

However, filestorecsi-lockrelease-cluster-role only grants get and list on nodes — watch verb is missing:

# deploy/kubernetes/overlays/lockrelease/configmap_rbac.yaml
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list"]  # watch is missing
Without watch, the watch-stream cannot be established, WaitForCacheSync never completes, and the controller logs the error continuously.

Affected versions
Confirmed missing on all branches: master, release-1.8, release-1.10, release-1.12. GKE addon version 0.15.17 / image gcp-filestore-csi-driver-lockrelease:v1.8.0-gke.19.

Fix
Add watch to the ClusterRole in deploy/kubernetes/overlays/lockrelease/configmap_rbac.yaml:

rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]