coco adapter: kyverno is unable to mutate deployments because of cluster role permissions

[shivaccuknox]

This issue is seen with the latest helm charts where all the components are installed through a single helm chart

When the coco intent is applied, the mutateexisting kyverno policy is created, but it is unable to mutate the deployments.

{"level":"error","ts":"2024-07-02T07:17:47Z","msg":"failed to create KyvernoPolicy","KyvernoPolicy.Name":"nephio-binding-1-mutateexisting","KyvernoPolicy.Namespace":"free5gc-cp","error":"admission webhook \"validate-policy.kyverno.svc\" denied the request: path: spec.rules[0].mutate.targets.: auth check fails, additional privileges are required for the service account 'system:serviceaccount:nimbus:kyverno-background-controller': cannot update/apps/v1/Deployment in namespace ","stacktrace":"github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/manager.createOrUpdateKp\n\t/nimbus/pkg/adapter/nimbus-kyverno/manager/manager.go:174\ngithub.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/manager.Run\n\t/nimbus/pkg/adapter/nimbus-kyverno/manager/manager.go:80\nmain.main\n\t/nimbus/pkg/adapter/nimbus-kyverno/main.go:34\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:271"}

This because the cluster role which is present is

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/component: background-controller
    app.kubernetes.io/instance: nimbus-kyverno
    app.kubernetes.io/part-of: nimbus-kyverno
  name: nimbus-kyverno:update-resources
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - update
  - patch

Where the expected match labels as per the aggregated cluster role selector is :

$ kg clusterrole nimbus-operator-kyverno:background-controller -o yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      app.kubernetes.io/component: background-controller
      app.kubernetes.io/instance: nimbus-operator
      app.kubernetes.io/part-of: nimbus-operator-kyverno