Add Cluster role for kyverno

rrajashe · rrajashe · commit 3145cd48b196 · 2025-04-07T14:02:43.000-04:00
This will make sure kyverno has permission over the resources referenced in the policy
diff --git a/components/cost-management/policies/kustomization.yaml b/components/cost-management/policies/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- update_namespace_labels.yaml
+- kyverno_rbac.yaml
diff --git a/components/cost-management/policies/kyverno_rbac.yaml b/components/cost-management/policies/kyverno_rbac.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-read-kubearchiveconfig
+  labels:
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - kubearchive.kubearchive.org
+  resources:
+  - kubearchiveconfigs
+  verbs:
+  - list
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno-manage-kubearchiveconfig
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+rules:
+- apiGroups:
+  - kubearchive.kubearchive.org
+  resources:
+  - kubearchiveconfigs
+  verbs:
+  - create
+  - get
+  - list
+  - delete
+  - update
