From bf9b8793dbc5254f8518c65343e4573a53ad4207 Mon Sep 17 00:00:00 2001
From: Erik Godding Boye <egboye@gmail.com>
Date: Sat, 1 Feb 2025 10:46:36 +0100
Subject: [PATCH] fix: add ocirepositories to nsaccess rules

---
 core/nsaccess/nsaccess.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/core/nsaccess/nsaccess.go b/core/nsaccess/nsaccess.go
index d661ee03d8..cd7ad2298f 100644
--- a/core/nsaccess/nsaccess.go
+++ b/core/nsaccess/nsaccess.go
@@ -18,9 +18,14 @@ import (
 var DefautltWegoAppRules = []rbacv1.PolicyRule{
 	{
 		APIGroups: []string{""},
-		Resources: []string{"secrets", "pods", "events"},
+		Resources: []string{"pods", "secrets"},
 		Verbs:     []string{"get", "list"},
 	},
+	{
+		APIGroups: []string{""},
+		Resources: []string{"events"},
+		Verbs:     []string{"get", "list", "watch"},
+	},
 	{
 		APIGroups: []string{"apps"},
 		Resources: []string{"deployments", "replicasets"},
@@ -38,14 +43,9 @@ var DefautltWegoAppRules = []rbacv1.PolicyRule{
 	},
 	{
 		APIGroups: []string{"source.toolkit.fluxcd.io"},
-		Resources: []string{"buckets", "helmcharts", "gitrepositories", "helmrepositories"},
+		Resources: []string{"buckets", "helmcharts", "helmrepositories", "gitrepositories", "ocirepositories"},
 		Verbs:     []string{"get", "list"},
 	},
-	{
-		APIGroups: []string{""},
-		Resources: []string{"events"},
-		Verbs:     []string{"get", "list", "watch"},
-	},
 }
 
 // Checker contains methods for validing user access to Kubernetes namespaces, based on a set of PolicyRules