From f7f10e32dacacaf2a880c74a98418a81ea27ad90 Mon Sep 17 00:00:00 2001
From: Jonathan Innis <joinnis@amazon.com>
Date: Wed, 29 Nov 2023 12:07:33 -0800
Subject: [PATCH] Remove lease permissions for webhooks

---
 charts/karpenter/templates/role.yaml | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/charts/karpenter/templates/role.yaml b/charts/karpenter/templates/role.yaml
index bdcf4670865d..3862e5b3f27c 100644
--- a/charts/karpenter/templates/role.yaml
+++ b/charts/karpenter/templates/role.yaml
@@ -16,7 +16,7 @@ rules:
     verbs: ["get", "watch"]
 {{- if .Values.webhook.enabled }}
   - apiGroups: [""]
-    resources: ["configmaps", "namespaces", "secrets"]
+    resources: ["configmaps", "secrets"]
     verbs: ["get", "list", "watch"]
 {{- end }}
   # Write
@@ -32,16 +32,6 @@ rules:
     verbs: ["patch", "update"]
     resourceNames:
       - "karpenter-leader-election"
-{{- if .Values.webhook.enabled }}
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["patch", "update"]
-    resourceNames:
-      - "webhook.configmapwebhook.00-of-01"
-      - "webhook.defaultingwebhook.00-of-01"
-      - "webhook.validationwebhook.00-of-01"
-      - "webhook.webhookcertificates.00-of-01"
-{{- end }}
   # Cannot specify resourceNames on create
   # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
   - apiGroups: ["coordination.k8s.io"]