Skip to content

Commit

Permalink
Updates webhook cluster role to work with OwnerReferencesPermissionEn…
Browse files Browse the repository at this point in the history 
…forcement

When running on Kubernetes platforms like OpenShift where the OwnerReferencesPermissionEnforcement is "on" we need to have additional ClusterRole rules added. In particular our knative tooling for our webhooks is assigning the OwnerRef of the (mutating/validating)webhookconfiguration resources to the tekton-pipelines namespace.

We need to update the webhooks ClusterRole to allow "delete" for both `mutatingwebhookconfigurations` and `validatingwebhookconfigurations` as well as "update" for `namespaces/finalizers` for the tekton-pipelines namespace.
  • Loading branch information
@skaegi @tekton-robot
skaegi authored and tekton-robot committed Oct 1, 2021
1 parent bdc4d20 commit 02a2c15
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions config/200-clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,15 +87,15 @@ rules:
resourceNames: ["webhook.pipeline.tekton.dev"]
# When there are changes to the configs or secrets, knative updates the mutatingwebhook config
# with the updated certificates or the refreshed set of rules.
verbs: ["get", "update"]
verbs: ["get", "update", "delete"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
# validation.webhook.pipeline.tekton.dev performs schema validation when you, for example, create TaskRuns.
# config.webhook.pipeline.tekton.dev validates the logging configuration against knative's logging structure
resourceNames: ["validation.webhook.pipeline.tekton.dev", "config.webhook.pipeline.tekton.dev"]
# When there are changes to the configs or secrets, knative updates the validatingwebhook config
# with the updated certificates or the refreshed set of rules.
verbs: ["get", "update"]
verbs: ["get", "update", "delete"]
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames: ["tekton-pipelines"]
Expand All @@ -106,3 +106,9 @@ rules:
# The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
# which requires we can Get the system namespace.
resourceNames: ["tekton-pipelines"]
- apiGroups: [""]
resources: ["namespaces/finalizers"]
verbs: ["update"]
# The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
# which requires we can update the system namespace finalizers.
resourceNames: ["tekton-pipelines"]

0 comments on commit 02a2c15

Please sign in to comment.