[e2e] fix: allow kubernetes-admin to make changes

Signed-off-by: Evsyukov Denis <denis.evsyukov@flant.com>
deckhouse · Aug 5, 2024 · 5da65fe · 5da65fe
1 parent c7b9936
commit 5da65fe
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/modules/002-deckhouse/templates/validation.yaml b/modules/002-deckhouse/templates/validation.yaml
@@ -68,6 +68,8 @@ spec:
       expression: '!(["system:nodes", "system:masters", "system:serviceaccounts:kube-system"].exists(e, (e in request.userInfo.groups)))'
     - name: 'exclude-kube-control-plane' # Ignore kube-controller manager and kube-scheduler
       expression: '!(["system:kube-controller-manager", "system:kube-scheduler", "system:volume-scheduler"].exists(e, (e == request.userInfo.username)))'
+    - name: 'exclude-kubernetes-admin'
+      expression: '!(["kubernetes-admin"].exists(e, (e == request.userInfo.username)))'
   validations:
     - expression: 'request.userInfo.username.startsWith("system:serviceaccount:d8-")'
       reason: Forbidden
@@ -77,7 +79,7 @@ spec:
       valueExpression: "'User: ' + string(request.userInfo.username) + ' tries to change object with the heritage label'"
 {{- else }}
   validations:
-    - expression: 'request.userInfo.username.startsWith("system:serviceaccount:d8-") || ["system:kube-controller-manager", "system:kube-scheduler", "system:volume-scheduler"].exists(e, (e == request.userInfo.username)) || ["system:nodes", "system:masters", "system:serviceaccounts:kube-system"].exists(e, (e in request.userInfo.groups))'
+    - expression: 'request.userInfo.username.startsWith("system:serviceaccount:d8-") || ["system:kube-controller-manager", "system:kube-scheduler", "system:volume-scheduler"].exists(e, (e == request.userInfo.username)) || ["system:nodes", "system:masters", "system:serviceaccounts:kube-system"].exists(e, (e in request.userInfo.groups)) || ["kubernetes-admin"].exists(e, (e == request.userInfo.username))'
       reason: Forbidden
 {{- end }}
 ---