fix: update vap to bypass fleet agents on arc clusters (#1188)

jim-minter · web-flow · commit 104eae9949f7 · 2025-09-08T16:19:08.000-06:00
diff --git a/pkg/webhook/managedresource/validatingadmissionpolicy.go b/pkg/webhook/managedresource/validatingadmissionpolicy.go
@@ -67,7 +67,7 @@ func GetValidatingAdmissionPolicy(isHub bool) *admv1.ValidatingAdmissionPolicy {
 			},
 			Validations: []admv1.Validation{
 				{
-					Expression: `"system:masters" in request.userInfo.groups || "system:serviceaccounts:kube-system" in request.userInfo.groups`,
+					Expression: `"system:masters" in request.userInfo.groups || "system:serviceaccounts:kube-system" in request.userInfo.groups || "system:serviceaccounts:fleet-system" in request.userInfo.groups`,
 					Message:    "Create, Update, or Delete operations on ARM managed resources is forbidden",
 					Reason:     &forbidden,
 				},

Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ func GetValidatingAdmissionPolicy(isHub bool) *admv1.ValidatingAdmissionPolicy {`
`67`	`67`	`},`
`68`	`68`	`Validations: []admv1.Validation{`
`69`	`69`	`{`
`70`		- Expression: `"system:masters" in request.userInfo.groups \|\| "system:serviceaccounts:kube-system" in request.userInfo.groups`,
	`70`	+ Expression: `"system:masters" in request.userInfo.groups \|\| "system:serviceaccounts:kube-system" in request.userInfo.groups \|\| "system:serviceaccounts:fleet-system" in request.userInfo.groups`,
`71`	`71`	`Message: "Create, Update, or Delete operations on ARM managed resources is forbidden",`
`72`	`72`	`Reason: &forbidden,`
`73`	`73`	`},`