From 1ba5bc57a5f06082e8333052afe6115d54120066 Mon Sep 17 00:00:00 2001
From: Vincent Link <vlink@redhat.com>
Date: Mon, 16 Mar 2026 10:38:55 +0100
Subject: [PATCH] Add endpointslices/restricted permission to ClusterRole

Related to #16448 and still used in
https://github.com/openshift/kubernetes/blob/2034d92b4a3a51d42e306ba405fc10a89768ac69/openshift-kube-apiserver/admission/network/restrictedendpoints/endpoint_admission.go#L242-L243
---
 config/core/200-roles/clusterrole.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/core/200-roles/clusterrole.yaml b/config/core/200-roles/clusterrole.yaml
index 5ab0e53829ff..fe87f97c5f9b 100644
--- a/config/core/200-roles/clusterrole.yaml
+++ b/config/core/200-roles/clusterrole.yaml
@@ -27,6 +27,9 @@ rules:
   - apiGroups: [""]
     resources: ["endpoints/restricted"] # Permission for RestrictedEndpointsAdmission
     verbs: ["create"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices/restricted"] # Permission for RestrictedEndpointsAdmission
+    verbs: ["create"]
   - apiGroups: [""]
     resources: ["namespaces/finalizers"] # finalizers are needed for the owner reference of the webhook
     verbs: ["update"]