From 33dd0a06c7ad278d47cf455c2306328eb7e7f1ad Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@trumf.no>
Date: Fri, 6 Mar 2026 09:30:04 +0100
Subject: [PATCH] perm2

---
 .../policies/replicaset-cleaner.yaml           | 18 ++++++++++++++++++
 cluster-resources/policies/secret-cloner.yaml  | 10 ++--------
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/cluster-resources/policies/replicaset-cleaner.yaml b/cluster-resources/policies/replicaset-cleaner.yaml
index 1e0466c..48a2960 100644
--- a/cluster-resources/policies/replicaset-cleaner.yaml
+++ b/cluster-resources/policies/replicaset-cleaner.yaml
@@ -1,3 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:pods-replicasets:manage
+  labels:
+    rbac.kyverno.io/aggregate-to-cleanup-controller: "true"
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - replicasets
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+  - delete
+---
 apiVersion: kyverno.io/v2
 kind: ClusterCleanupPolicy
 metadata:
diff --git a/cluster-resources/policies/secret-cloner.yaml b/cluster-resources/policies/secret-cloner.yaml
index 2ffe66d..d7cd791 100644
--- a/cluster-resources/policies/secret-cloner.yaml
+++ b/cluster-resources/policies/secret-cloner.yaml
@@ -1,19 +1,16 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: kyverno:resources:view
+  name: kyverno:secrets:view
   labels:
     rbac.kyverno.io/aggregate-to-admission-controller: "true"
     rbac.kyverno.io/aggregate-to-reports-controller: "true"
     rbac.kyverno.io/aggregate-to-background-controller: "true"
-    rbac.kyverno.io/aggregate-to-cleanup-controller: "true"
 rules:
 - apiGroups:
   - ''
   resources:
   - secrets
-  - pod
-  - replicaset
   verbs:
   - get
   - list
@@ -22,17 +19,14 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: kyverno:resources:manage
+  name: kyverno:secrets:manage
   labels:
     rbac.kyverno.io/aggregate-to-background-controller: "true"
-    rbac.kyverno.io/aggregate-to-cleanup-controller: "true"
 rules:
 - apiGroups:
   - ''
   resources:
   - secrets
-  - pod
-  - replicaset
   verbs:
   - create
   - update