admission: Prevent leaking the validatingwebhookconfiguration resource in virtual garden cluster (#264)

ialidzhikov · web-flow · commit 2821ddc7e752 · 2026-03-31T15:46:51.000+02:00
diff --git a/charts/gardener-extension-admission-acl/charts/application/templates/rbac.yaml b/charts/gardener-extension-admission-acl/charts/application/templates/rbac.yaml
@@ -31,8 +31,16 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  resourceNames:
+  - {{ include "name" . }}
+  verbs:
   - patch
   - update
+  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/charts/gardener-extension-admission-acl/charts/runtime/templates/deployment.yaml b/charts/gardener-extension-admission-acl/charts/runtime/templates/deployment.yaml
@@ -44,6 +44,9 @@ spec:
         - --webhook-config-mode=service
         {{- end }}
         - --webhook-config-namespace={{ .Release.Namespace }}
+        {{- if .Values.gardener.virtualCluster.namespace }}
+        - --webhook-config-owner-namespace={{ .Values.gardener.virtualCluster.namespace }}
+        {{- end }}
         {{- if .Values.kubeconfig }}
         - --kubeconfig=/etc/gardener-extension-admission-acl/kubeconfig/kubeconfig
         {{- end }}
