Adjust the allow list for managed resource vap

Nont · Nont · commit 9066d2df16e6 · 2025-10-21T14:41:01.000-05:00
Signed-off-by: Nont &lt;nont@duck.com&gt;
diff --git a/pkg/webhook/managedresource/validatingadmissionpolicy.go b/pkg/webhook/managedresource/validatingadmissionpolicy.go
@@ -53,14 +53,24 @@ func mutateValidatingAdmissionPolicy(vap *admv1.ValidatingAdmissionPolicy) {
 		},
 		Validations: []admv1.Validation{
 			{
-				Expression: `(
-					request.userInfo.username == "aksService" ||
-					request.userInfo.username == "fleet-member-agent-sa")
-					&& (
-					"system:masters" in request.userInfo.groups ||
-					"system:serviceaccounts:kube-system" in request.userInfo.groups ||
-					"system:serviceaccounts:fleet-system" in request.userInfo.groups ||
-					"system:serviceaccounts:openshift-kube-controller-manager" in request.userInfo.groups)`,
+				Expression: `
+				(
+					(
+						request.userInfo.username == "aksService" ||
+						request.userInfo.username == "fleet-member-agent-sa"
+					)
+				    &&
+					(
+						"system:masters" in request.userInfo.groups ||
+						"system:serviceaccounts:kube-system" in request.userInfo.groups ||
+						"system:serviceaccounts:fleet-system" in request.userInfo.groups ||
+						"system:serviceaccounts:openshift-kube-controller-manager" in request.userInfo.groups
+					)
+				)
+				  ||
+				(
+					"system:serviceaccounts:openshift-infra" in request.userInfo.groups
+				)`,
 				Message: "Create, Update, or Delete operations on ARM managed resources is forbidden",
 				Reason:  &forbidden,
 			},
