Fix: Hard-coded ClusterRoleName in OwnerRef breaks (#2718)

* fix hardcoded clusterrole name * Fix label
2025-03-31 03:45:17 +00:00 · 2021-11-16 17:02:42 +05:30 · 2021-11-16 17:02:42 +05:30 · fa95132806
commit fa95132806
parent e3c17972a8
7 changed files with 12 additions and 10 deletions
--- a/charts/kyverno/templates/clusterrole.yaml
+++ b/charts/kyverno/templates/clusterrole.yaml
@ -22,6 +22,7 @@ kind: ClusterRole
 metadata:
  name: {{ template "kyverno.fullname" . }}:webhook
  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app.kubernetes.io/ownerreference: "true"
    app: kyverno
 rules:
 # Dynamic creation of webhooks, events & certs
--- a/config/install.yaml
+++ b/config/install.yaml
@ -7360,6 +7360,7 @@ metadata:
    app.kubernetes.io/name: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
+    app.kubernetes.io/ownerreference: "true"
  name: kyverno:webhook
 rules:
 - apiGroups:
--- a/config/install_debug.yaml
+++ b/config/install_debug.yaml
@ -7245,6 +7245,7 @@ kind: ClusterRole
 metadata:
  labels:
    app: kyverno
+    app.kubernetes.io/ownerreference: "true"
  name: kyverno:webhook
 rules:
 - apiGroups:
--- a/config/k8s-resource/clusterroles.yaml
+++ b/config/k8s-resource/clusterroles.yaml
@ -22,6 +22,7 @@ kind: ClusterRole
 metadata:
  labels:
    app: kyverno
+    app.kubernetes.io/ownerreference: "true"
  name: kyverno:webhook
 rules:
 # Dynamic creation of webhooks, events & certs
--- a/config/release/install.yaml
+++ b/config/release/install.yaml
@ -7278,6 +7278,7 @@ metadata:
    app.kubernetes.io/name: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
+    app.kubernetes.io/ownerreference: "true"
  name: kyverno:webhook
 rules:
 - apiGroups:
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@ -63,9 +63,6 @@ const (

 	// ClusterRoleKind define the default clusterrole resource kind
 	ClusterRoleKind = "ClusterRole"
-
-	// ClusterRoleName define the default name of clusterrole
-	ClusterRoleName = "kyverno:webhook"
 )

 var (
--- a/pkg/webhookconfig/common.go
+++ b/pkg/webhookconfig/common.go
@ -60,27 +60,27 @@ func extractCA(config *rest.Config) (result []byte) {
 func (wrc *Register) constructOwner() v1.OwnerReference {
 	logger := wrc.log

-	kubeClusterRole, err := wrc.GetKubePolicyClusterRole()
+	kubeClusterRoleName, err := wrc.GetKubePolicyClusterRoleName()
 	if err != nil {
-		logger.Error(err, "failed to construct OwnerReference")
+		logger.Error(err, "failed to get cluster role")
 		return v1.OwnerReference{}
 	}

 	return v1.OwnerReference{
 		APIVersion: config.ClusterRoleAPIVersion,
 		Kind:       config.ClusterRoleKind,
-		Name:       config.ClusterRoleName,
-		UID:        kubeClusterRole.GetUID(),
+		Name:       kubeClusterRoleName.GetName(),
+		UID:        kubeClusterRoleName.GetUID(),
 	}
 }

-func (wrc *Register) GetKubePolicyClusterRole() (*unstructured.Unstructured, error) {
-	kubeNamespace, err := wrc.client.GetResource(config.ClusterRoleAPIVersion, config.ClusterRoleKind, "", config.ClusterRoleName)
+func (wrc *Register) GetKubePolicyClusterRoleName() (*unstructured.Unstructured, error) {
+	clusterRole, err := wrc.client.ListResource(config.ClusterRoleAPIVersion, config.ClusterRoleKind, "", &v1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/ownerreference": "true"}})
 	if err != nil {
 		return nil, err
 	}

-	return kubeNamespace, nil
+	return &clusterRole.Items[0], nil
 }

 // GetKubePolicyDeployment gets Kyverno deployment using the resource cache