From 80c647e3a652af520253c156cd540fda3bf4e2f7 Mon Sep 17 00:00:00 2001
From: Reed Schalo <reed0schalo@gmail.com>
Date: Wed, 6 Nov 2024 15:52:24 -0800
Subject: [PATCH] fix: scope CRD update permissions v0.33.x (#7333)

---
 .github/workflows/resource-count.yaml            | 2 +-
 charts/karpenter/templates/clusterrole-core.yaml | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/resource-count.yaml b/.github/workflows/resource-count.yaml
index 18e7d19e0658..8625aee48c2f 100644
--- a/.github/workflows/resource-count.yaml
+++ b/.github/workflows/resource-count.yaml
@@ -20,7 +20,7 @@ jobs:
         with:
           role-to-assume: arn:aws:iam::${{ vars.ACCOUNT_ID }}:role/${{ vars.ROLE_NAME }}
           aws-region: ${{ matrix.region }}
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
         with:
           go-version-file: test/hack/resource/go.mod
           check-latest: true
diff --git a/charts/karpenter/templates/clusterrole-core.yaml b/charts/karpenter/templates/clusterrole-core.yaml
index 67d95309aeb8..38fb9a2e2f5b 100644
--- a/charts/karpenter/templates/clusterrole-core.yaml
+++ b/charts/karpenter/templates/clusterrole-core.yaml
@@ -75,6 +75,7 @@ rules:
     resourceNames: ["validation.webhook.karpenter.sh", "validation.webhook.config.karpenter.sh"]
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
+    resourceNames: ["ec2nodeclasses.karpenter.k8s.aws", "nodepools.karpenter.sh", "nodeclaims.karpenter.sh"]
     verbs: ["update"]
   {{- end }}
   {{- with .Values.additionalClusterRoleRules -}}