Fix operator perms

charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/clusterrole.yaml

@@ -12,6 +12,8 @@ metadata:
 {{- end }}
 aggregationRule:
   clusterRoleSelectors:
+    - matchLabels:
+        rbac.kyverno.io/aggregate-to-admission-controller: "true"
     - matchLabels:
         {{- include "kyverno.admission-controller.matchLabels" . | nindent 8 }}
 ---

charts/enterprise-kyverno-operator/templates/kyverno-1.12/admission-controller/clusterrolebinding.yaml

@@ -18,4 +18,21 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
     namespace: {{ template "kyverno.namespace" . }}
+{{- if .Values.kyverno.admissionController.rbac.createViewRoleBinding }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.admission-controller.roleName" . }}:view
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.kyverno.admissionController.rbac.viewRoleName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+    namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
 {{- end -}}

charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/clusterrole.yaml

@@ -13,6 +13,8 @@ metadata:
 {{- end }}
 aggregationRule:
   clusterRoleSelectors:
+    - matchLabels:
+        rbac.kyverno.io/aggregate-to-background-controller: "true"
     - matchLabels:
         {{- include "kyverno.background-controller.matchLabels" . | nindent 8 }}
 ---

charts/enterprise-kyverno-operator/templates/kyverno-1.12/background-controller/clusterrolebinding.yaml

@@ -19,5 +19,22 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "kyverno.background-controller.serviceAccountName" . }}
   namespace: {{ template "kyverno.namespace" . }}
+{{- if .Values.kyverno.backgroundController.rbac.createViewRoleBinding }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.background-controller.roleName" . }}:view
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.kyverno.backgroundController.rbac.viewRoleName }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.background-controller.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
 {{- end -}}
 {{- end -}}

charts/enterprise-kyverno-operator/templates/kyverno-1.12/cleanup-controller/clusterrole.yaml

@@ -13,6 +13,8 @@ metadata:
 {{- end }}
 aggregationRule:
   clusterRoleSelectors:
+    - matchLabels:
+        rbac.kyverno.io/aggregate-to-cleanup-controller: "true"
     - matchLabels:
         {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 8 }}
 ---

charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/clusterrole.yaml

@@ -13,6 +13,8 @@ metadata:
 {{- end }}
 aggregationRule:
   clusterRoleSelectors:
+    - matchLabels:
+        rbac.kyverno.io/aggregate-to-reports-controller: "true"
     - matchLabels:
         {{- include "kyverno.reports-controller.matchLabels" . | nindent 8 }}
 ---

charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/clusterrolebinding.yaml

@@ -19,5 +19,22 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
   namespace: {{ template "kyverno.namespace" . }}
+{{- if .Values.kyverno.reportsController.rbac.createViewRoleBinding }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.reports-controller.roleName" . }}:view
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.kyverno.reportsController.rbac.viewRoleName }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
 {{- end -}}
 {{- end -}}

charts/enterprise-kyverno-operator/templates/kyverno-1.12/reports-controller/role.yaml

@@ -24,6 +24,14 @@ rules:
     resourceNames:
       - {{ include "kyverno.config.configMapName" . }}
       - {{ include "kyverno.config.metricsConfigMapName" . }}
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - coordination.k8s.io
     resources:

charts/enterprise-kyverno-operator/values.yaml

@@ -69,6 +69,11 @@ kyverno:
       # -- Extra resource permissions to add in the cluster role
       extraResources: []
   admissionController:
+    # -- Create rolebinding to view role
+    createViewRoleBinding: true
+
+    # -- The view role to use in the rolebinding
+    viewRoleName: view
     replicas: ~
     rbac:
       create: true
@@ -81,15 +86,7 @@ kyverno:
         # -- Extra resource permissions to add in the core cluster role.
         # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
         # @default -- See [values.yaml](values.yaml)
-        extraResources:
-          - apiGroups:
-              - '*'
-            resources:
-              - '*'
-            verbs:
-              - get
-              - list
-              - watch
+        extraResources: []
   templating:
     enabled: false
     image: ghcr.io/nirmata/kubectl:1.31.1
@@ -149,6 +146,12 @@ kyverno:
   reportsController:
     # -- Enable reports controller.
     enabled: true
+    # -- Create rolebinding to view role
+    createViewRoleBinding: true
+
+    # -- The view role to use in the rolebinding
+    viewRoleName: view
+
     rbac:
       # -- Create RBAC resources
       create: true
@@ -161,18 +164,16 @@ kyverno:
         # -- Extra resource permissions to add in the core cluster role.
         # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
         # @default -- See [values.yaml](values.yaml)
-        extraResources:
-          - apiGroups:
-              - '*'
-            resources:
-              - '*'
-            verbs:
-              - get
-              - list
-              - watch
+        extraResources: []
   backgroundController:
     # -- Enable background controller.
     enabled: true
+
+    # -- Create rolebinding to view role
+    createViewRoleBinding: true
+
+    # -- The view role to use in the rolebinding
+    viewRoleName: view
     rbac:
       # -- Create RBAC resources
       create: true
@@ -186,14 +187,6 @@ kyverno:
         # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
         # @default -- See [values.yaml](values.yaml)
         extraResources:
-          - apiGroups:
-              - '*'
-            resources:
-              - '*'
-            verbs:
-              - get
-              - list
-              - watch
           - apiGroups:
               - networking.k8s.io
             resources: