fixed the default wildcard cluserrole assignment

Signed-off-by: Ved Ratan <[email protected]>
nirmata · Jul 17, 2024 · 43bfd7a · 43bfd7a
1 parent fab43f9
commit 43bfd7a
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 7 deletions.
diff --git a/charts/kyverno/templates/admission-controller/clusterrole.yaml b/charts/kyverno/templates/admission-controller/clusterrole.yaml
@@ -22,10 +22,6 @@ rules:
     resources:
       - mutatingwebhookconfigurations
       - validatingwebhookconfigurations
-      {{- if .Values.features.generateValidatingAdmissionPolicy.enabled }}
-      - validatingadmissionpolicies
-      - validatingadmissionpolicybindings
-      {{- end }}
     verbs:
       - create
       - delete
@@ -43,8 +39,8 @@ rules:
       - rolebindings
       - clusterrolebindings
     verbs:
-      - list
       - watch
+      - list
   - apiGroups:
       - kyverno.io
     resources:
@@ -98,6 +94,9 @@ rules:
       - subjectaccessreviews
     verbs:
       - create
+{{- with .Values.admissionController.rbac.coreClusterRole.extraResources }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
 {{- with .Values.admissionController.rbac.clusterRole.extraResources }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/charts/kyverno/templates/reports-controller/clusterrole.yaml b/charts/kyverno/templates/reports-controller/clusterrole.yaml
@@ -58,7 +58,10 @@ rules:
     verbs:
       - create
       - patch
-{{- with .Values.reportsController.rbac.clusterRole.extraResources }}
+{{- with .Values.admissionController.rbac.coreClusterRole.extraResources }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.admissionController.rbac.clusterRole.extraResources }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
@@ -700,6 +700,20 @@ admissionController:
       annotations: {}
         # example.com/annotation: value
 
+    coreClusterRole:
+      # -- Extra resource permissions to add in the core cluster role.
+      # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
+      # @default -- See [values.yaml](values.yaml)
+      extraResources:
+        - apiGroups:
+            - '*'
+          resources:
+            - '*'
+          verbs:
+            - get
+            - list
+            - watch
+
     clusterRole:
       # -- Extra resource permissions to add in the cluster role
       extraResources: []
@@ -1327,6 +1341,21 @@ cleanupController:
       annotations: {}
         # example.com/annotation: value
 
+
+    coreClusterRole:
+      # -- Extra resource permissions to add in the core cluster role.
+      # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
+      # @default -- See [values.yaml](values.yaml)
+      extraResources:
+        - apiGroups:
+            - '*'
+          resources:
+            - '*'
+          verbs:
+            - get
+            - list
+            - watch
+
     clusterRole:
       # -- Extra resource permissions to add in the cluster role
       extraResources: []
@@ -1606,6 +1635,21 @@ reportsController:
       annotations: {}
         # example.com/annotation: value
 
+
+    coreClusterRole:
+      # -- Extra resource permissions to add in the core cluster role.
+      # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
+      # @default -- See [values.yaml](values.yaml)
+      extraResources:
+        - apiGroups:
+            - '*'
+          resources:
+            - '*'
+          verbs:
+            - get
+            - list
+            - watch
+
     clusterRole:
       # -- Extra resource permissions to add in the cluster role
       extraResources: []

diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
@@ -44909,8 +44909,8 @@ rules:
       - rolebindings
       - clusterrolebindings
     verbs:
-      - list
       - watch
+      - list
   - apiGroups:
       - kyverno.io
     resources:
@@ -44964,6 +44964,14 @@ rules:
       - subjectaccessreviews
     verbs:
       - create
+  - apiGroups:
+    - '*'
+    resources:
+    - '*'
+    verbs:
+    - get
+    - list
+    - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -45430,6 +45438,14 @@ rules:
     verbs:
       - create
       - patch
+  - apiGroups:
+    - '*'
+    resources:
+    - '*'
+    verbs:
+    - get
+    - list
+    - watch
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1