Merge pull request #618 from sluetze/sandboxed-containers

yuumasato · web-flow · commit 3065c0907fef · 2025-02-11T10:12:39.000+01:00
add read permission for kataconfig
diff --git a/bundle/manifests/compliance-operator.clusterserviceversion.yaml b/bundle/manifests/compliance-operator.clusterserviceversion.yaml
@@ -1098,6 +1098,13 @@ spec:
           verbs:
           - get
           - list
+        - apiGroups:
+          - kataconfiguration.openshift.io
+          resources:
+          - kataconfigs
+          verbs:
+          - list
+          - get
         serviceAccountName: api-resource-collector
       - rules:
         - apiGroups:
diff --git a/config/manifests/bases/compliance-operator.clusterserviceversion.yaml b/config/manifests/bases/compliance-operator.clusterserviceversion.yaml
@@ -1176,6 +1176,13 @@ spec:
           - get
           - list
           - watch
+        - apiGroups:
+          - kataconfiguration.openshift.io
+          resources:
+          - kataconfigs
+          verbs:
+          - list
+          - get
         serviceAccountName: api-resource-collector
       - rules:
         - apiGroups:
diff --git a/config/rbac/api_resource_collector_cluster_role.yaml b/config/rbac/api_resource_collector_cluster_role.yaml
@@ -867,3 +867,11 @@ rules:
     verbs:
       - get
       - list
+  # Necessary to check for sandboxed-containers config for BSI requirements
+  - apiGroups:
+      - kataconfiguration.openshift.io
+    verbs:
+      - list
+      - get
+    resources:
+      - kataconfigs
