Remove lease permissions for webhooks

aws · Nov 29, 2023 · f7f10e3 · f7f10e3
1 parent c7d94a3
commit f7f10e3
Showing 1 changed file with 1 addition and 11 deletions.
diff --git a/charts/karpenter/templates/role.yaml b/charts/karpenter/templates/role.yaml
@@ -16,7 +16,7 @@ rules:
     verbs: ["get", "watch"]
 {{- if .Values.webhook.enabled }}
   - apiGroups: [""]
-    resources: ["configmaps", "namespaces", "secrets"]
+    resources: ["configmaps", "secrets"]
     verbs: ["get", "list", "watch"]
 {{- end }}
   # Write
@@ -32,16 +32,6 @@ rules:
     verbs: ["patch", "update"]
     resourceNames:
       - "karpenter-leader-election"
-{{- if .Values.webhook.enabled }}
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["patch", "update"]
-    resourceNames:
-      - "webhook.configmapwebhook.00-of-01"
-      - "webhook.defaultingwebhook.00-of-01"
-      - "webhook.validationwebhook.00-of-01"
-      - "webhook.webhookcertificates.00-of-01"
-{{- end }}
   # Cannot specify resourceNames on create
   # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
   - apiGroups: ["coordination.k8s.io"]