fix: add ocirepositories to nsaccess rules

weaveworks · Feb 1, 2025 · bf9b879 · bf9b879
1 parent 9722058
commit bf9b879
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/core/nsaccess/nsaccess.go b/core/nsaccess/nsaccess.go
@@ -18,9 +18,14 @@ import (
 var DefautltWegoAppRules = []rbacv1.PolicyRule{
 	{
 		APIGroups: []string{""},
-		Resources: []string{"secrets", "pods", "events"},
+		Resources: []string{"pods", "secrets"},
 		Verbs:     []string{"get", "list"},
 	},
+	{
+		APIGroups: []string{""},
+		Resources: []string{"events"},
+		Verbs:     []string{"get", "list", "watch"},
+	},
 	{
 		APIGroups: []string{"apps"},
 		Resources: []string{"deployments", "replicasets"},
@@ -38,14 +43,9 @@ var DefautltWegoAppRules = []rbacv1.PolicyRule{
 	},
 	{
 		APIGroups: []string{"source.toolkit.fluxcd.io"},
-		Resources: []string{"buckets", "helmcharts", "gitrepositories", "helmrepositories"},
+		Resources: []string{"buckets", "helmcharts", "helmrepositories", "gitrepositories", "ocirepositories"},
 		Verbs:     []string{"get", "list"},
 	},
-	{
-		APIGroups: []string{""},
-		Resources: []string{"events"},
-		Verbs:     []string{"get", "list", "watch"},
-	},
 }
 
 // Checker contains methods for validing user access to Kubernetes namespaces, based on a set of PolicyRules