fix missing rbac for storage

Signed-off-by: Matthias Bertschy <[email protected]>
kubescape · Nov 22, 2024 · 0a30aae · 0a30aae
1 parent 8b33bba
commit 0a30aae
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 2 deletions.
diff --git a/charts/kubescape-operator/templates/storage/clusterrole.yaml b/charts/kubescape-operator/templates/storage/clusterrole.yaml
@@ -8,12 +8,18 @@ metadata:
     {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }}
 rules:
 - apiGroups: [""]
-  resources: ["pods", "services"]
-  verbs: ["get", "watch", "list"]
+  resources: ["namespaces", "pods", "services"]
+  verbs: [ "get", "watch", "list" ]
+- apiGroups: [ "admissionregistration.k8s.io" ]
+  resources: [ "mutatingwebhookconfigurations", "validatingwebhookconfigurations" ]
+  verbs: [ "get", "watch", "list" ]
 - apiGroups: ["apps"]
   resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
   verbs: ["get", "watch", "list"]
 - apiGroups: ["batch"]
   resources: ["cronjobs", "jobs"]
   verbs: ["get", "watch", "list"]
+- apiGroups: ["flowcontrol.apiserver.k8s.io"]
+  resources: ["prioritylevelconfigurations", "flowschemas"]
+  verbs: ["get", "watch", "list"]
 {{- end }}
diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap
@@ -4925,12 +4925,22 @@ all capabilities:
       - apiGroups:
           - ""
         resources:
+          - namespaces
           - pods
           - services
         verbs:
           - get
           - watch
           - list
+      - apiGroups:
+          - admissionregistration.k8s.io
+        resources:
+          - mutatingwebhookconfigurations
+          - validatingwebhookconfigurations
+        verbs:
+          - get
+          - watch
+          - list
       - apiGroups:
           - apps
         resources:
@@ -4951,6 +4961,15 @@ all capabilities:
           - get
           - watch
           - list
+      - apiGroups:
+          - flowcontrol.apiserver.k8s.io
+        resources:
+          - prioritylevelconfigurations
+          - flowschemas
+        verbs:
+          - get
+          - watch
+          - list
   97: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
@@ -10112,12 +10131,22 @@ default capabilities:
       - apiGroups:
           - ""
         resources:
+          - namespaces
           - pods
           - services
         verbs:
           - get
           - watch
           - list
+      - apiGroups:
+          - admissionregistration.k8s.io
+        resources:
+          - mutatingwebhookconfigurations
+          - validatingwebhookconfigurations
+        verbs:
+          - get
+          - watch
+          - list
       - apiGroups:
           - apps
         resources:
@@ -10138,6 +10167,15 @@ default capabilities:
           - get
           - watch
           - list
+      - apiGroups:
+          - flowcontrol.apiserver.k8s.io
+        resources:
+          - prioritylevelconfigurations
+          - flowschemas
+        verbs:
+          - get
+          - watch
+          - list
   73: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
@@ -14343,12 +14381,22 @@ disable otel:
       - apiGroups:
           - ""
         resources:
+          - namespaces
           - pods
           - services
         verbs:
           - get
           - watch
           - list
+      - apiGroups:
+          - admissionregistration.k8s.io
+        resources:
+          - mutatingwebhookconfigurations
+          - validatingwebhookconfigurations
+        verbs:
+          - get
+          - watch
+          - list
       - apiGroups:
           - apps
         resources:
@@ -14369,6 +14417,15 @@ disable otel:
           - get
           - watch
           - list
+      - apiGroups:
+          - flowcontrol.apiserver.k8s.io
+        resources:
+          - prioritylevelconfigurations
+          - flowschemas
+        verbs:
+          - get
+          - watch
+          - list
   58: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
@@ -17594,12 +17651,22 @@ minimal capabilities:
       - apiGroups:
           - ""
         resources:
+          - namespaces
           - pods
           - services
         verbs:
           - get
           - watch
           - list
+      - apiGroups:
+          - admissionregistration.k8s.io
+        resources:
+          - mutatingwebhookconfigurations
+          - validatingwebhookconfigurations
+        verbs:
+          - get
+          - watch
+          - list
       - apiGroups:
           - apps
         resources:
@@ -17620,6 +17687,15 @@ minimal capabilities:
           - get
           - watch
           - list
+      - apiGroups:
+          - flowcontrol.apiserver.k8s.io
+        resources:
+          - prioritylevelconfigurations
+          - flowschemas
+        verbs:
+          - get
+          - watch
+          - list
   43: |
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding