From 7e1ecaf74cef412da45d383b3bc53cae270d61db Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 16 May 2026 23:30:07 +0000 Subject: [PATCH] kyverno: codify aggregated ClusterRole for keel mutate-existing The previous commit (bc714755) added mutateExistingOnPolicyUpdate=true to the inject-keel-annotations ClusterPolicy but Kyverno's validate webhook rejected it: the background-controller SA needs update/patch on apps/v1 Deployment/StatefulSet/DaemonSet. Created live via kubectl + now in TF so the next apply is idempotent. The ClusterRole aggregates into kyverno:background-controller via the rbac.kyverno.io/aggregate-to-background-controller label. Co-Authored-By: Claude Opus 4.7 --- .../modules/kyverno/keel-annotations.tf | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/stacks/kyverno/modules/kyverno/keel-annotations.tf b/stacks/kyverno/modules/kyverno/keel-annotations.tf index aa7b3780..3c17d87a 100644 --- a/stacks/kyverno/modules/kyverno/keel-annotations.tf +++ b/stacks/kyverno/modules/kyverno/keel-annotations.tf @@ -124,3 +124,23 @@ resource "kubernetes_manifest" "policy_inject_keel_annotations" { } depends_on = [helm_release.kyverno] } + +# Grant the Kyverno background-controller SA permission to mutate +# Deployments / StatefulSets / DaemonSets — required for the policy +# above (mutateExistingOnPolicyUpdate=true + mutate.targets). Kyverno's +# `kyverno:background-controller` ClusterRole aggregates roles labeled +# `rbac.kyverno.io/aggregate-to-background-controller: "true"`. +resource "kubernetes_cluster_role" "keel_mutate_existing" { + metadata { + name = "kyverno:background-controller:keel-mutate-existing" + labels = { + "rbac.kyverno.io/aggregate-to-background-controller" = "true" + } + } + rule { + api_groups = ["apps"] + resources = ["deployments", "statefulsets", "daemonsets"] + verbs = ["get", "list", "watch", "update", "patch"] + } + depends_on = [helm_release.kyverno] +}