update and fix perms after reviewing audit logs

Author: a7vicky

pkg/webhooks/hcpnamespace/hcpnamespace.go

@@ -27,6 +27,7 @@ var (
 		"system:serviceaccount:open-cluster-management-agent:klusterlet",
 		"system:serviceaccount:hypershift:operator",
 		"system:serviceaccount:ocm:ocm",
+		"system:serviceaccount:kube-system:namespace-controller",
 	}
 
 	// Protected namespace patterns

pkg/webhooks/hostedcontrolplane/hostedcontrolplane.go

@@ -23,11 +23,14 @@ const (
 var (
 	// Full usernames of Service accounts allowed to delete HostedControlPlanes
 	allowedServiceAccountsUsernames = []string{
-		"system:serviceaccount:open-cluster-management-agent:klusterlet-work-sa", "system:serviceaccount:kube-system:generic-garbage-collector",
+		"system:serviceaccount:open-cluster-management-agent:klusterlet-work-sa",
+		"system:serviceaccount:kube-system:generic-garbage-collector",
+		"system:serviceaccount:hypershift:operator",
 	}
 	// Names of Service accounts allowed to delete HostedControlPlanes
 	allowedServiceAccountsNames = []string{
-		"cluster-api", "control-plane-pki-operator",
+		"cluster-api",
+		"control-plane-pki-operator",
 	}
 
 	scope = admissionregv1.NamespacedScope

pkg/webhooks/manifestworks/manifestworks.go

@@ -23,9 +23,6 @@ const (
 var (
 	// List of service accounts allowed to delete ManifestWorks
 	allowedServiceAccounts = []string{
-		"system:serviceaccount:open-cluster-management-agent:klusterlet-work-sa",
-		"system:serviceaccount:open-cluster-management-agent:klusterlet",
-		"system:serviceaccount:hypershift:operator",
 		"system:serviceaccount:ocm:ocm",
 		"system:serviceaccount:kube-system:generic-garbage-collector",
 		"system:serviceaccount:multicluster-engine:ocm-foundation-sa",

pkg/webhooks/manifestworks/manifestworks_test.go

@@ -17,20 +17,14 @@ func TestManifestWorksAuthorized(t *testing.T) {
 		shouldBeAllowed bool
 	}{
 		{
-			name:            "Klusterlet work SA can delete manifestworks",
-			username:        "system:serviceaccount:open-cluster-management-agent:klusterlet-work-sa",
+			name:            "OCM SA can delete manifestworks",
+			username:        "system:serviceaccount:ocm:ocm",
 			operation:       admissionv1.Delete,
 			shouldBeAllowed: true,
 		},
 		{
-			name:            "Klusterlet SA can delete manifestworks",
-			username:        "system:serviceaccount:open-cluster-management-agent:klusterlet",
-			operation:       admissionv1.Delete,
-			shouldBeAllowed: true,
-		},
-		{
-			name:            "Hypershift operator can delete manifestworks",
-			username:        "system:serviceaccount:hypershift:operator",
+			name:            "ocm-foundation-s SA can delete manifestworks",
+			username:        "system:serviceaccount:multicluster-engine:ocm-foundation-sa",
 			operation:       admissionv1.Delete,
 			shouldBeAllowed: true,
 		},