From 3e408da567374b834dba1ab09fd2349a51a1f6ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christoph=20St=C3=A4bler?= <cstabler@redhat.com>
Date: Tue, 2 Jul 2024 12:18:01 +0200
Subject: [PATCH] Fix RBAC permissions to get/list/watch eventpolicies

---
 .../mt-channel-broker/roles/filter-clusterrole.yaml   |  1 +
 .../mt-channel-broker/roles/ingress-clusterrole.yaml  |  1 +
 .../roles/dispatcher-clusterrole.yaml                 |  8 +++++++-
 config/core/roles/job-sink-clusterrole.yaml           |  9 ++++++++-
 config/core/roles/webhook-clusterrole.yaml            | 11 ++++++++++-
 5 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/config/brokers/mt-channel-broker/roles/filter-clusterrole.yaml b/config/brokers/mt-channel-broker/roles/filter-clusterrole.yaml
index f7ea52d806a..758a07893a4 100644
--- a/config/brokers/mt-channel-broker/roles/filter-clusterrole.yaml
+++ b/config/brokers/mt-channel-broker/roles/filter-clusterrole.yaml
@@ -26,6 +26,7 @@ rules:
       - brokers/status
       - triggers
       - triggers/status
+      - eventpolicies
     verbs:
       - get
       - list
diff --git a/config/brokers/mt-channel-broker/roles/ingress-clusterrole.yaml b/config/brokers/mt-channel-broker/roles/ingress-clusterrole.yaml
index 63ea619855f..1d6c0681644 100644
--- a/config/brokers/mt-channel-broker/roles/ingress-clusterrole.yaml
+++ b/config/brokers/mt-channel-broker/roles/ingress-clusterrole.yaml
@@ -32,6 +32,7 @@ rules:
       - eventing.knative.dev
     resources:
       - brokers
+      - eventpolicies
     verbs:
       - get
       - list
diff --git a/config/channels/in-memory-channel/roles/dispatcher-clusterrole.yaml b/config/channels/in-memory-channel/roles/dispatcher-clusterrole.yaml
index 549bc507f43..d2166397644 100644
--- a/config/channels/in-memory-channel/roles/dispatcher-clusterrole.yaml
+++ b/config/channels/in-memory-channel/roles/dispatcher-clusterrole.yaml
@@ -76,8 +76,14 @@ rules:
       - eventing.knative.dev
     resources:
       - eventtypes
+      - eventpolicies
     verbs:
-      - create
       - get
       - list
       - watch
+  - apiGroups:
+      - eventing.knative.dev
+    resources:
+      - eventtypes
+    verbs:
+      - create
diff --git a/config/core/roles/job-sink-clusterrole.yaml b/config/core/roles/job-sink-clusterrole.yaml
index 88b3de1dd8b..0e70b5a7302 100644
--- a/config/core/roles/job-sink-clusterrole.yaml
+++ b/config/core/roles/job-sink-clusterrole.yaml
@@ -82,4 +82,11 @@ rules:
       - create
       - update
       - patch
-
+  - apiGroups:
+      - eventing.knative.dev
+    resources:
+      - eventpolicies
+    verbs:
+      - get
+      - list
+      - watch
diff --git a/config/core/roles/webhook-clusterrole.yaml b/config/core/roles/webhook-clusterrole.yaml
index 9fdeb70a6a9..dc8f07ca209 100644
--- a/config/core/roles/webhook-clusterrole.yaml
+++ b/config/core/roles/webhook-clusterrole.yaml
@@ -128,6 +128,15 @@ rules:
       - "create"
       - "patch"
 
+  - apiGroups:
+      - eventing.knative.dev
+    resources:
+      - eventpolicies
+    verbs:
+      - get
+      - list
+      - watch
+
   # For the SinkBinding reconciler adding the OIDC identity service accounts
   - apiGroups:
       - ""
@@ -178,4 +187,4 @@ rules:
 
   - apiGroups: ["batch"]
     resources: ["jobs"]
-    verbs: ["create"]
+    verbs: ["create"]
\ No newline at end of file