This issue is seen with the latest helm charts where all the components are installed through a single helm chart
When the coco intent is applied, the mutateexisting kyverno policy is created, but it is unable to mutate the deployments.
{"level":"error","ts":"2024-07-02T07:17:47Z","msg":"failed to create KyvernoPolicy","KyvernoPolicy.Name":"nephio-binding-1-mutateexisting","KyvernoPolicy.Namespace":"free5gc-cp","error":"admission webhook \"validate-policy.kyverno.svc\" denied the request: path: spec.rules[0].mutate.targets.: auth check fails, additional privileges are required for the service account 'system:serviceaccount:nimbus:kyverno-background-controller': cannot update/apps/v1/Deployment in namespace ","stacktrace":"github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/manager.createOrUpdateKp\n\t/nimbus/pkg/adapter/nimbus-kyverno/manager/manager.go:174\ngithub.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/manager.Run\n\t/nimbus/pkg/adapter/nimbus-kyverno/manager/manager.go:80\nmain.main\n\t/nimbus/pkg/adapter/nimbus-kyverno/main.go:34\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:271"}
This issue is seen with the latest helm charts where all the components are installed through a single helm chart
When the coco intent is applied, the mutateexisting kyverno policy is created, but it is unable to mutate the deployments.
{"level":"error","ts":"2024-07-02T07:17:47Z","msg":"failed to create KyvernoPolicy","KyvernoPolicy.Name":"nephio-binding-1-mutateexisting","KyvernoPolicy.Namespace":"free5gc-cp","error":"admission webhook \"validate-policy.kyverno.svc\" denied the request: path: spec.rules[0].mutate.targets.: auth check fails, additional privileges are required for the service account 'system:serviceaccount:nimbus:kyverno-background-controller': cannot update/apps/v1/Deployment in namespace ","stacktrace":"github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/manager.createOrUpdateKp\n\t/nimbus/pkg/adapter/nimbus-kyverno/manager/manager.go:174\ngithub.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/manager.Run\n\t/nimbus/pkg/adapter/nimbus-kyverno/manager/manager.go:80\nmain.main\n\t/nimbus/pkg/adapter/nimbus-kyverno/main.go:34\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:271"}
This because the cluster role which is present is
Where the expected match labels as per the aggregated cluster role selector is :