allow-list ocp controller sa in vap

yoobinshin · yoobinshin · commit 6fbcd00e97a9 · 2025-10-06T16:58:46.000-04:00
diff --git a/pkg/webhook/managedresource/validatingadmissionpolicy.go b/pkg/webhook/managedresource/validatingadmissionpolicy.go
@@ -75,7 +75,7 @@ func mutateValidatingAdmissionPolicy(vap *admv1.ValidatingAdmissionPolicy, isHub
 		},
 		Validations: []admv1.Validation{
 			{
-				Expression: `"system:masters" in request.userInfo.groups || "system:serviceaccounts:kube-system" in request.userInfo.groups || "system:serviceaccounts:fleet-system" in request.userInfo.groups`,
+				Expression: `"system:masters" in request.userInfo.groups || "system:serviceaccounts:kube-system" in request.userInfo.groups || "system:serviceaccounts:fleet-system" in request.userInfo.groups || "system:serviceaccounts:openshift-kube-controller-manager" in request.userInfo.groups`,
 				Message:    "Create, Update, or Delete operations on ARM managed resources is forbidden",
 				Reason:     &forbidden,
 			},

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ func mutateValidatingAdmissionPolicy(vap *admv1.ValidatingAdmissionPolicy, isHub`
`75`	`75`	`},`
`76`	`76`	`Validations: []admv1.Validation{`
`77`	`77`	`{`
`78`		- Expression: `"system:masters" in request.userInfo.groups \|\| "system:serviceaccounts:kube-system" in request.userInfo.groups \|\| "system:serviceaccounts:fleet-system" in request.userInfo.groups`,
	`78`	+ Expression: `"system:masters" in request.userInfo.groups \|\| "system:serviceaccounts:kube-system" in request.userInfo.groups \|\| "system:serviceaccounts:fleet-system" in request.userInfo.groups \|\| "system:serviceaccounts:openshift-kube-controller-manager" in request.userInfo.groups`,
`79`	`79`	`Message: "Create, Update, or Delete operations on ARM managed resources is forbidden",`
`80`	`80`	`Reason: &forbidden,`
`81`	`81`	`},`