feat(rbac): add cluster role and binding for pod identity webhook access

jastBytes · jastBytes · commit 8e62bb2fc377 · 2026-03-30T11:40:28.000+02:00
diff --git a/charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/templates/rbac.yaml b/charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/templates/rbac.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: stackit-pod-identity-webhook-access
+rules:
+- apiGroups: [""]
+  resources: ["serviceaccounts"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: stackit-pod-identity-webhook-access-binding
+subjects:
+- kind: ServiceAccount # from shoot access secret
+  name: pod-identity-webhook
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: stackit-pod-identity-webhook-access
+  apiGroup: rbac.authorization.k8s.io
