From fa95132806912ba77de5d9d20bef4fd675ff7f5e Mon Sep 17 00:00:00 2001
From: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Date: Tue, 16 Nov 2021 17:02:42 +0530
Subject: [PATCH] Fix: Hard-coded ClusterRoleName in OwnerRef breaks  (#2718)

* fix hardcoded clusterrole name

* Fix label
---
 charts/kyverno/templates/clusterrole.yaml |  1 +
 config/install.yaml                       |  1 +
 config/install_debug.yaml                 |  1 +
 config/k8s-resource/clusterroles.yaml     |  1 +
 config/release/install.yaml               |  1 +
 pkg/config/config.go                      |  3 ---
 pkg/webhookconfig/common.go               | 14 +++++++-------
 7 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/charts/kyverno/templates/clusterrole.yaml b/charts/kyverno/templates/clusterrole.yaml
index ac849a985d..f1ed05bac5 100644
--- a/charts/kyverno/templates/clusterrole.yaml
+++ b/charts/kyverno/templates/clusterrole.yaml
@@ -22,6 +22,7 @@ kind: ClusterRole
 metadata:
   name: {{ template "kyverno.fullname" . }}:webhook
   labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app.kubernetes.io/ownerreference: "true"
     app: kyverno
 rules:
 # Dynamic creation of webhooks, events & certs
diff --git a/config/install.yaml b/config/install.yaml
index ed208b5ff8..d3a6d8cd2c 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -7360,6 +7360,7 @@ metadata:
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
     app.kubernetes.io/version: latest
+    app.kubernetes.io/ownerreference: "true"
   name: kyverno:webhook
 rules:
 - apiGroups:
diff --git a/config/install_debug.yaml b/config/install_debug.yaml
index f96a13c15c..fa56bd6e4c 100755
--- a/config/install_debug.yaml
+++ b/config/install_debug.yaml
@@ -7245,6 +7245,7 @@ kind: ClusterRole
 metadata:
   labels:
     app: kyverno
+    app.kubernetes.io/ownerreference: "true"
   name: kyverno:webhook
 rules:
 - apiGroups:
diff --git a/config/k8s-resource/clusterroles.yaml b/config/k8s-resource/clusterroles.yaml
index 10421db242..467a3b4868 100755
--- a/config/k8s-resource/clusterroles.yaml
+++ b/config/k8s-resource/clusterroles.yaml
@@ -22,6 +22,7 @@ kind: ClusterRole
 metadata:
   labels:
     app: kyverno
+    app.kubernetes.io/ownerreference: "true"
   name: kyverno:webhook
 rules:
 # Dynamic creation of webhooks, events & certs
diff --git a/config/release/install.yaml b/config/release/install.yaml
index ec1b7aded4..68f6fcce7c 100755
--- a/config/release/install.yaml
+++ b/config/release/install.yaml
@@ -7278,6 +7278,7 @@ metadata:
     app.kubernetes.io/name: kyverno
     app.kubernetes.io/part-of: kyverno
     app.kubernetes.io/version: latest
+    app.kubernetes.io/ownerreference: "true"
   name: kyverno:webhook
 rules:
 - apiGroups:
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 2ca04c7838..a3471b2718 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -63,9 +63,6 @@ const (
 
 	// ClusterRoleKind define the default clusterrole resource kind
 	ClusterRoleKind = "ClusterRole"
-
-	// ClusterRoleName define the default name of clusterrole
-	ClusterRoleName = "kyverno:webhook"
 )
 
 var (
diff --git a/pkg/webhookconfig/common.go b/pkg/webhookconfig/common.go
index daf893c486..bd3c79ac21 100644
--- a/pkg/webhookconfig/common.go
+++ b/pkg/webhookconfig/common.go
@@ -60,27 +60,27 @@ func extractCA(config *rest.Config) (result []byte) {
 func (wrc *Register) constructOwner() v1.OwnerReference {
 	logger := wrc.log
 
-	kubeClusterRole, err := wrc.GetKubePolicyClusterRole()
+	kubeClusterRoleName, err := wrc.GetKubePolicyClusterRoleName()
 	if err != nil {
-		logger.Error(err, "failed to construct OwnerReference")
+		logger.Error(err, "failed to get cluster role")
 		return v1.OwnerReference{}
 	}
 
 	return v1.OwnerReference{
 		APIVersion: config.ClusterRoleAPIVersion,
 		Kind:       config.ClusterRoleKind,
-		Name:       config.ClusterRoleName,
-		UID:        kubeClusterRole.GetUID(),
+		Name:       kubeClusterRoleName.GetName(),
+		UID:        kubeClusterRoleName.GetUID(),
 	}
 }
 
-func (wrc *Register) GetKubePolicyClusterRole() (*unstructured.Unstructured, error) {
-	kubeNamespace, err := wrc.client.GetResource(config.ClusterRoleAPIVersion, config.ClusterRoleKind, "", config.ClusterRoleName)
+func (wrc *Register) GetKubePolicyClusterRoleName() (*unstructured.Unstructured, error) {
+	clusterRole, err := wrc.client.ListResource(config.ClusterRoleAPIVersion, config.ClusterRoleKind, "", &v1.LabelSelector{MatchLabels: map[string]string{"app.kubernetes.io/ownerreference": "true"}})
 	if err != nil {
 		return nil, err
 	}
 
-	return kubeNamespace, nil
+	return &clusterRole.Items[0], nil
 }
 
 // GetKubePolicyDeployment gets Kyverno deployment using the resource cache