fix report permissions (#2874)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2025-04-09 02:29:22 +00:00 · 2021-12-23 19:55:47 -08:00 · 2021-12-23 19:55:47 -08:00 · 48f2105c51
commit 48f2105c51
parent 2be70a5074
7 changed files with 99 additions and 25 deletions
--- a/charts/kyverno/templates/aggregateroles.yaml
+++ b/charts/kyverno/templates/aggregateroles.yaml
@ -13,7 +13,13 @@ rules:
  - policies
  - clusterpolicies
  verbs:
-  - "*"
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -24,12 +30,18 @@ metadata:
  name: {{ template "kyverno.fullname" . }}:admin-policyreport
 rules:
  - apiGroups:
-      - wgpolicyk8s.io/v1alpha2
+      - wgpolicyk8s.io
    resources:
      - policyreport
      - clusterpolicyreport
    verbs:
-      - '*'
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -45,6 +57,12 @@ rules:
  - reportchangerequests
  - clusterreportchangerequests
  verbs:
-  - "*"
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch

 {{- end }}
--- a/charts/kyverno/templates/clusterrole.yaml
+++ b/charts/kyverno/templates/clusterrole.yaml
@ -25,16 +25,12 @@ metadata:
    app: kyverno
 rules:
 - apiGroups:
-    - "kyverno.io"
+    - kyverno.io
  resources:
    - policies
    - policies/status
    - clusterpolicies
    - clusterpolicies/status
-    - policyreports
-    - policyreports/status
-    - clusterpolicyreports
-    - clusterpolicyreports/status
    - generaterequests
    - generaterequests/status
    - reportchangerequests
@ -50,6 +46,23 @@ rules:
    - update
    - watch
    - deletecollection
+- apiGroups:
+  - wgpolicyk8s.io
+  resources:
+  - policyreports
+  - policyreports/status
+  - clusterpolicyreports
+  - clusterpolicyreports/status
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+  - deletecollection
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/charts/kyverno/templates/crds.yaml
+++ b/charts/kyverno/templates/crds.yaml
@ -5,6 +5,7 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
    config.kubernetes.io/index: '1'
+    internal.config.kubernetes.io/index: '1'
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -1343,6 +1344,7 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
    config.kubernetes.io/index: '2'
+    internal.config.kubernetes.io/index: '2'
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -1835,6 +1837,7 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
    config.kubernetes.io/index: '3'
+    internal.config.kubernetes.io/index: '3'
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -2327,6 +2330,7 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
    config.kubernetes.io/index: '4'
+    internal.config.kubernetes.io/index: '4'
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -2508,6 +2512,7 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
    config.kubernetes.io/index: '5'
+    internal.config.kubernetes.io/index: '5'
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -3846,6 +3851,7 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
    config.kubernetes.io/index: '6'
+    internal.config.kubernetes.io/index: '6'
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
@ -4338,6 +4344,7 @@ metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.4.0
    config.kubernetes.io/index: '7'
+    internal.config.kubernetes.io/index: '7'
  creationTimestamp: null
  labels:
    app.kubernetes.io/component: kyverno
--- a/config/install.yaml
+++ b/config/install.yaml
@ -7219,7 +7219,7 @@ metadata:
  name: kyverno:admin-policyreport
 rules:
 - apiGroups:
-  - wgpolicyk8s.io/v1alpha2
+  - wgpolicyk8s.io
  resources:
  - policyreports
  - clusterpolicyreports
@ -7355,10 +7355,6 @@ rules:
  - policies/status
  - clusterpolicies
  - clusterpolicies/status
-  - policyreports
-  - policyreports/status
-  - clusterpolicyreports
-  - clusterpolicyreports/status
  - generaterequests
  - generaterequests/status
  - reportchangerequests
@ -7374,6 +7370,22 @@ rules:
  - update
  - watch
  - deletecollection
+- apiGroups:
+  - wgpolicyk8s.io
+  resources:
+  - policyreports
+  - policyreports/status
+  - clusterpolicyreports
+  - clusterpolicyreports/status
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+  - deletecollection
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/config/install_debug.yaml
+++ b/config/install_debug.yaml
@ -7152,7 +7152,7 @@ metadata:
  name: kyverno:admin-policyreport
 rules:
 - apiGroups:
-  - wgpolicyk8s.io/v1alpha2
+  - wgpolicyk8s.io
  resources:
  - policyreports
  - clusterpolicyreports
@ -7268,10 +7268,6 @@ rules:
  - policies/status
  - clusterpolicies
  - clusterpolicies/status
-  - policyreports
-  - policyreports/status
-  - clusterpolicyreports
-  - clusterpolicyreports/status
  - generaterequests
  - generaterequests/status
  - reportchangerequests
@ -7287,6 +7283,22 @@ rules:
  - update
  - watch
  - deletecollection
+- apiGroups:
+  - wgpolicyk8s.io
+  resources:
+  - policyreports
+  - policyreports/status
+  - clusterpolicyreports
+  - clusterpolicyreports/status
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+  - deletecollection
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/config/k8s-resource/aggregateroles.yaml
+++ b/config/k8s-resource/aggregateroles.yaml
@ -30,7 +30,7 @@ metadata:
  name: kyverno:admin-policyreport
 rules:
  - apiGroups:
-      - wgpolicyk8s.io/v1alpha2
+      - wgpolicyk8s.io
    resources:
      - policyreports
      - clusterpolicyreports
--- a/config/k8s-resource/clusterroles.yaml
+++ b/config/k8s-resource/clusterroles.yaml
@ -7,16 +7,12 @@ metadata:
  name: kyverno:policies
 rules:
 - apiGroups:
-  - "kyverno.io"
+  - kyverno.io
  resources:
  - policies
  - policies/status
  - clusterpolicies
  - clusterpolicies/status
-  - policyreports
-  - policyreports/status
-  - clusterpolicyreports
-  - clusterpolicyreports/status
  - generaterequests
  - generaterequests/status
  - reportchangerequests
@ -32,6 +28,22 @@ rules:
  - update
  - watch
  - deletecollection
+- apiGroups:
+  - wgpolicyk8s.io
+  resources:
+  - policyreports
+  - policyreports/status
+  - clusterpolicyreports
+  - clusterpolicyreports/status
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+  - deletecollection
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole