From 080de2d6f47ff4cf6adb4f80044d42097b30737b Mon Sep 17 00:00:00 2001 From: mjshastha <61929310+mjshastha@users.noreply.github.com> Date: Thu, 31 Jul 2025 15:26:02 +0530 Subject: [PATCH] chore(rbac): add access to IDMS and ITMS Add RBAC rules for imagedigestmirrorsets and imagetagmirrorsets under the config.openshift.io API group. Required for Kube Enforcer to observe and respond to OpenShift mirror set configurations. --- .../manifests/kube_enforcer/001_kube_enforcer_config.yaml | 3 +++ .../kube_enforcer_advanced/001_kube_enforcer_config.yaml | 3 +++ .../kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml | 3 +++ .../kube_enforcer_trivy/001_kube_enforcer_config.yaml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml index 34e98cf4b..50a77db9e 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml @@ -160,6 +160,9 @@ rules: # - apiGroups: ["operator.openshift.io"] # resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"] # verbs: ["get", "list", "watch"] +# - apiGroups: ["config.openshift.io"] +# resources: ["imagedigestmirrorsets", "imagetagmirrorsets"] +# verbs: ["get", "list", "watch"] # - apiGroups: [ "" ] # resources: ["endpoints"] # verbs: [ "list" ] diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml index be04fded8..96c7b78f8 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml @@ -331,6 +331,9 @@ rules: # - apiGroups: ["operator.openshift.io"] # resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"] # verbs: ["get", "list", "watch"] +# - apiGroups: ["config.openshift.io"] +# resources: ["imagedigestmirrorsets", "imagetagmirrorsets"] +# verbs: ["get", "list", "watch"] # - apiGroups: [ "" ] # resources: ["endpoints"] # verbs: [ "list" ] diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml index 0d6448125..553856d79 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml @@ -331,6 +331,9 @@ rules: # - apiGroups: ["operator.openshift.io"] # resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"] # verbs: ["get", "list", "watch"] +# - apiGroups: ["config.openshift.io"] +# resources: ["imagedigestmirrorsets", "imagetagmirrorsets"] +# verbs: ["get", "list", "watch"] # - apiGroups: [ "" ] # resources: ["endpoints"] # verbs: [ "list" ] diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/001_kube_enforcer_config.yaml index 9a3190834..37a3b54f7 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/001_kube_enforcer_config.yaml @@ -184,6 +184,9 @@ rules: # - apiGroups: ["operator.openshift.io"] # resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"] # verbs: ["get", "list", "watch"] +# - apiGroups: ["config.openshift.io"] +# resources: ["imagedigestmirrorsets", "imagetagmirrorsets"] +# verbs: ["get", "list", "watch"] # - apiGroups: [ "" ] # resources: ["endpoints"] # verbs: [ "list" ]