From 6c876bba9ad90414c3ace6473c1ad0912db5d0d5 Mon Sep 17 00:00:00 2001
From: AhmedGrati <48932084+AhmedGrati@users.noreply.github.com>
Date: Fri, 15 Dec 2023 14:25:39 +0100
Subject: [PATCH] fix: disable cluster wide controller role permissions
 (#10659)

Signed-off-by: AhmedGrati <ahmedgrati1999@gmail.com>
---
 charts/ingress-nginx/templates/controller-role.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml
index f6217a29a..a94b39978 100644
--- a/charts/ingress-nginx/templates/controller-role.yaml
+++ b/charts/ingress-nginx/templates/controller-role.yaml
@@ -44,12 +44,15 @@ rules:
       - get
       - list
       - watch
+  # Omit Ingress status permissions if `--update-status` is disabled.
+  {{- if ne (index .Values.controller.extraArgs "update-status") "false" }}
   - apiGroups:
       - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
+  {{- end }}
   - apiGroups:
       - networking.k8s.io
     resources: