From 6fbcd00e97a97fdc85bcf628856016f0efe0f6bf Mon Sep 17 00:00:00 2001
From: yoobinshin <yoobinshin@microsoft.com>
Date: Mon, 6 Oct 2025 16:58:46 -0400
Subject: [PATCH] allow-list ocp controller sa in vap

---
 pkg/webhook/managedresource/validatingadmissionpolicy.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/webhook/managedresource/validatingadmissionpolicy.go b/pkg/webhook/managedresource/validatingadmissionpolicy.go
index e0835507a..011ff96e0 100644
--- a/pkg/webhook/managedresource/validatingadmissionpolicy.go
+++ b/pkg/webhook/managedresource/validatingadmissionpolicy.go
@@ -75,7 +75,7 @@ func mutateValidatingAdmissionPolicy(vap *admv1.ValidatingAdmissionPolicy, isHub
 		},
 		Validations: []admv1.Validation{
 			{
-				Expression: `"system:masters" in request.userInfo.groups || "system:serviceaccounts:kube-system" in request.userInfo.groups || "system:serviceaccounts:fleet-system" in request.userInfo.groups`,
+				Expression: `"system:masters" in request.userInfo.groups || "system:serviceaccounts:kube-system" in request.userInfo.groups || "system:serviceaccounts:fleet-system" in request.userInfo.groups || "system:serviceaccounts:openshift-kube-controller-manager" in request.userInfo.groups`,
 				Message:    "Create, Update, or Delete operations on ARM managed resources is forbidden",
 				Reason:     &forbidden,
 			},