diff --git a/charts/kubescape-operator/templates/storage/clusterrole.yaml b/charts/kubescape-operator/templates/storage/clusterrole.yaml index 7aba0970..0fd6f651 100644 --- a/charts/kubescape-operator/templates/storage/clusterrole.yaml +++ b/charts/kubescape-operator/templates/storage/clusterrole.yaml @@ -8,12 +8,18 @@ metadata: {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} rules: - apiGroups: [""] - resources: ["pods", "services"] - verbs: ["get", "watch", "list"] + resources: ["namespaces", "pods", "services"] + verbs: [ "get", "watch", "list" ] +- apiGroups: [ "admissionregistration.k8s.io" ] + resources: [ "mutatingwebhookconfigurations", "validatingwebhookconfigurations" ] + verbs: [ "get", "watch", "list" ] - apiGroups: ["apps"] resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] verbs: ["get", "watch", "list"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["get", "watch", "list"] +- apiGroups: ["flowcontrol.apiserver.k8s.io"] + resources: ["prioritylevelconfigurations", "flowschemas"] + verbs: ["get", "watch", "list"] {{- end }} diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index 36ce31b1..fe952490 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -4925,12 +4925,22 @@ all capabilities: - apiGroups: - "" resources: + - namespaces - pods - services verbs: - get - watch - list + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - watch + - list - apiGroups: - apps resources: @@ -4951,6 +4961,15 @@ all capabilities: - get - watch - list + - apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - prioritylevelconfigurations + - flowschemas + verbs: + - get + - watch + - list 97: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -10112,12 +10131,22 @@ default capabilities: - apiGroups: - "" resources: + - namespaces - pods - services verbs: - get - watch - list + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - watch + - list - apiGroups: - apps resources: @@ -10138,6 +10167,15 @@ default capabilities: - get - watch - list + - apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - prioritylevelconfigurations + - flowschemas + verbs: + - get + - watch + - list 73: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -14343,12 +14381,22 @@ disable otel: - apiGroups: - "" resources: + - namespaces - pods - services verbs: - get - watch - list + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - watch + - list - apiGroups: - apps resources: @@ -14369,6 +14417,15 @@ disable otel: - get - watch - list + - apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - prioritylevelconfigurations + - flowschemas + verbs: + - get + - watch + - list 58: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -17594,12 +17651,22 @@ minimal capabilities: - apiGroups: - "" resources: + - namespaces - pods - services verbs: - get - watch - list + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - watch + - list - apiGroups: - apps resources: @@ -17620,6 +17687,15 @@ minimal capabilities: - get - watch - list + - apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - prioritylevelconfigurations + - flowschemas + verbs: + - get + - watch + - list 43: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding