From c5c196f3eedeabed11bcb707711d99b8ffea50e2 Mon Sep 17 00:00:00 2001
From: Joseph Hanson <joe@veri.dev>
Date: Wed, 3 Apr 2024 12:38:35 -0500
Subject: [PATCH] Include extra RBAC.

---
 .../webhook-dnsimple/app/rbac.yaml            | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml
index 332069d0..09ebe32f 100644
--- a/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml
+++ b/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml
@@ -22,6 +22,32 @@ rules:
     verbs:
       - 'create'
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flow-schema-reader
+  labels:
+    app: cert-manager-webhook-dnsimple
+rules:
+  - apiGroups: ["flowcontrol.apiserver.k8s.io"]
+    resources: ["flowschemas", "prioritylevelconfigurations"]
+    verbs: ["list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: grant-flow-schema-permission
+  labels:
+    app: cert-manager-webhook-dnsimple
+subjects:
+  - kind: ServiceAccount
+    name: webhook-dnsimple
+    namespace: cert-manager
+roleRef:
+  kind: ClusterRole
+  name: flow-schema-reader
+  apiGroup: rbac.authorization.k8s.io
+---
 # apiserver gets the auth-delegator role to delegate auth decisions to the core apiserver
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding