Merge pull request #36 from hectorj2f/hectorj2f/fix_sa_perms

sigstore · Nov 12, 2021 · 8d265cd · 8d265cd
2 parents ff6751b + 8b2fd97
commit 8d265cd
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/charts/cosigned/Chart.yaml b/charts/cosigned/Chart.yaml
@@ -8,7 +8,7 @@ sources:
 type: application
 
 name: cosigned
-version: v0.1.2
+version: v0.1.3
 appVersion: v1.3.1
 
 maintainers:

diff --git a/charts/cosigned/templates/webhook/clusterrole_webhook.yaml b/charts/cosigned/templates/webhook/clusterrole_webhook.yaml
@@ -25,3 +25,11 @@ rules:
     # The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
     # which requires we can Get the system namespace.
     resourceNames: [ "{{ .Release.Namespace }}" ]
+
+  # This is needed by k8schain to support fetching pull secrets attached to pod specs
+  # or their service accounts.  If pull secrets aren't used, the "secrets" below can
+  # be safely dropped, but the logic will fetch the service account to check for pull
+  # secrets.
+  - apiGroups: [""]
+    resources: ["serviceaccounts", "secrets"]
+    verbs: ["get"]