chore(rbac): add access to IDMS and ITMS

mjshastha · mjshastha · commit 080de2d6f47f · 2025-08-01T11:42:05.000+05:30
Add RBAC rules for imagedigestmirrorsets and imagetagmirrorsets under the config.openshift.io API group.
Required for Kube Enforcer to observe and respond to OpenShift mirror set configurations.
diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml
@@ -160,6 +160,9 @@ rules:
 #  - apiGroups: ["operator.openshift.io"]
 #    resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"]
 #    verbs: ["get", "list", "watch"]
+#  - apiGroups: ["config.openshift.io"]
+#    resources: ["imagedigestmirrorsets", "imagetagmirrorsets"]
+#    verbs: ["get", "list", "watch"]
 #  - apiGroups: [ "" ]
 #    resources: ["endpoints"]
 #    verbs: [ "list" ]
diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml
@@ -331,6 +331,9 @@ rules:
 #  - apiGroups: ["operator.openshift.io"]
 #    resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"]
 #    verbs: ["get", "list", "watch"]
+#  - apiGroups: ["config.openshift.io"]
+#    resources: ["imagedigestmirrorsets", "imagetagmirrorsets"]
+#    verbs: ["get", "list", "watch"]
 #  - apiGroups: [ "" ]
 #    resources: ["endpoints"]
 #    verbs: [ "list" ]
diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml
@@ -331,6 +331,9 @@ rules:
 #  - apiGroups: ["operator.openshift.io"]
 #    resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"]
 #    verbs: ["get", "list", "watch"]
+#  - apiGroups: ["config.openshift.io"]
+#    resources: ["imagedigestmirrorsets", "imagetagmirrorsets"]
+#    verbs: ["get", "list", "watch"]
 #  - apiGroups: [ "" ]
 #    resources: ["endpoints"]
 #    verbs: [ "list" ]
diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/001_kube_enforcer_config.yaml
@@ -184,6 +184,9 @@ rules:
 #  - apiGroups: ["operator.openshift.io"]
 #    resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"]
 #    verbs: ["get", "list", "watch"]
+#  - apiGroups: ["config.openshift.io"]
+#    resources: ["imagedigestmirrorsets", "imagetagmirrorsets"]
+#    verbs: ["get", "list", "watch"]
 #  - apiGroups: [ "" ]
 #    resources: ["endpoints"]
 #    verbs: [ "list" ]
