diff --git a/k8s/bases/infrastructure/cluster-security-exceptions/exec-into-container-rbac.yaml b/k8s/bases/infrastructure/cluster-security-exceptions/exec-into-container-rbac.yaml index f3da1f097..12360c2f0 100644 --- a/k8s/bases/infrastructure/cluster-security-exceptions/exec-into-container-rbac.yaml +++ b/k8s/bases/infrastructure/cluster-security-exceptions/exec-into-container-rbac.yaml @@ -54,22 +54,22 @@ spec: # Velero — namespaced binding + Role, and the cluster-admin CRB - apiGroup: rbac.authorization.k8s.io kind: RoleBinding - name: velero-server + name: ^velero-server$ - apiGroup: rbac.authorization.k8s.io kind: Role - name: velero-server + name: ^velero-server$ - apiGroup: rbac.authorization.k8s.io kind: ClusterRoleBinding - name: velero-server + name: ^velero-server$ # CloudNativePG — CRB whose ClusterRole explicitly grants pods/exec - apiGroup: rbac.authorization.k8s.io kind: ClusterRoleBinding - name: cloudnative-pg + name: ^cloudnative-pg$ # Flux kustomize-/helm-controller — cluster-admin via cluster-reconciler CRB - apiGroup: rbac.authorization.k8s.io kind: ClusterRoleBinding - name: cluster-reconciler-flux-system + name: ^cluster-reconciler-flux-system$ # Flux operator — cluster-admin CRB - apiGroup: rbac.authorization.k8s.io kind: ClusterRoleBinding - name: flux-operator + name: ^flux-operator$ diff --git a/k8s/bases/infrastructure/cluster-security-exceptions/wildcard-rbac.yaml b/k8s/bases/infrastructure/cluster-security-exceptions/wildcard-rbac.yaml index a9f4d3527..7efba81a4 100644 --- a/k8s/bases/infrastructure/cluster-security-exceptions/wildcard-rbac.yaml +++ b/k8s/bases/infrastructure/cluster-security-exceptions/wildcard-rbac.yaml @@ -41,13 +41,13 @@ spec: resources: - apiGroup: rbac.authorization.k8s.io kind: ClusterRoleBinding - name: cluster-reconciler-flux-system + name: ^cluster-reconciler-flux-system$ - apiGroup: rbac.authorization.k8s.io kind: ClusterRoleBinding - name: flux-operator + name: ^flux-operator$ - apiGroup: rbac.authorization.k8s.io kind: ClusterRoleBinding - name: velero-server + name: ^velero-server$ - apiGroup: rbac.authorization.k8s.io kind: Role - name: velero-server + name: ^velero-server$