Cluster scope access needed for secrets when checkUpstream is true

[john-jam]

When using a private registry with credentials available in authSecretName and when defining checkUpstream: true, the webhook fails to read the secret and indicates that a permission to read them at the cluster scope is missing:

2024-02-22T06:59:04Z    INFO    controller-runtime.webhook  Serving webhook server  {"host": "", "port": 9443}
2024-02-22T06:59:04Z    INFO    controller-runtime.certwatcher  Starting certificate watcher
2024-02-22T06:59:51Z    INFO    mutator token key:  {"key": {"name":"docker-cfg","namespace":"harbor-container-webhook"}}
W0222 06:59:51.704213       1 reflector.go:535] pkg/mod/k8s.io/client-go@v0.28.4/tools/cache/reflector.go:229: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:harbor-container-webhook:harbor-container-webhook" cannot list resource "secrets" in API group "" at the cluster scope

If we disable checkUpstream, the connection with the private registry works fine.

Should the right ClusterRole be added to the service account created by the helm chart or should the webhook code be updated to have it work with namespaced Roles? Happy to create a PR.

[mpsOxygen]

I'm hitting the same problem. Did you find way aroung it?