make sync and doc generate

Author: diakovnec

build/selectorsyncset.yaml

@@ -274,6 +274,36 @@ objects:
           scope: Cluster
         sideEffects: None
         timeoutSeconds: 2
+    - apiVersion: admissionregistration.k8s.io/v1
+      kind: ValidatingWebhookConfiguration
+      metadata:
+        annotations:
+          service.beta.openshift.io/inject-cabundle: "true"
+        creationTimestamp: null
+        name: sre-clusterroles-validation
+      webhooks:
+      - admissionReviewVersions:
+        - v1
+        clientConfig:
+          service:
+            name: validation-webhook
+            namespace: openshift-validation-webhook
+            path: /clusterroles-validation
+        failurePolicy: Ignore
+        matchPolicy: Equivalent
+        name: clusterroles-validation.managed.openshift.io
+        rules:
+        - apiGroups:
+          - rbac.authorization.k8s.io
+          apiVersions:
+          - v1
+          operations:
+          - DELETE
+          resources:
+          - clusterroles
+          scope: Cluster
+        sideEffects: None
+        timeoutSeconds: 2
     - apiVersion: admissionregistration.k8s.io/v1
       kind: ValidatingWebhookConfiguration
       metadata:

pkg/webhooks/clusterrole/clusterrole.go

@@ -19,8 +19,9 @@ import (
 )
 
 const (
-	WebhookName string = "clusterroles-validation"
-	docString   string = `Managed OpenShift Customers may not delete protected ClusterRoles including cluster-admin, view, edit, admin, specific system roles (system:admin, system:node, system:node-proxier, system:kube-scheduler, system:kube-controller-manager), and backplane-* roles`
+	WebhookName     string = "clusterroles-validation"
+	backplanePrefix string = "backplane-"
+	docString       string = `Managed OpenShift Customers may not delete protected ClusterRoles including cluster-admin, view, edit, admin, specific system roles (system:admin, system:node, system:node-proxier, system:kube-scheduler, system:kube-controller-manager), and backplane-* roles`
 )
 
 var (
@@ -47,7 +48,6 @@ var (
 		"admin",
 		"system:admin",
 		"system:node",
-		"system:node-proxier",
 		"system:kube-scheduler",
 		"system:kube-controller-manager",
 	}
@@ -172,12 +172,10 @@ func isProtectedClusterRole(clusterRole *rbacv1.ClusterRole) bool {
 	if slices.Contains(protectedClusterRoles, clusterRole.Name) {
 		return true
 	}
-
 	// Check if it matches backplane pattern
-	if strings.HasPrefix(clusterRole.Name, "backplane-") {
+	if strings.HasPrefix(clusterRole.Name, backplanePrefix) {
 		return true
 	}
-
 	return false
 }