[RS-2325] Add rbac for waf api (#3746)

* Add rbac for waf api

* lock down configmap perms to coreruleset

pkg/render/apiserver.go

@@ -1653,6 +1653,13 @@ func (c *apiServerComponent) tigeraUserClusterRole() *rbacv1.ClusterRole {
 			Resources: []string{"serviceaccounts"},
 			Verbs:     []string{"list"},
 		},
+		// Access for WAF API to read in coreruleset configmap
+		{
+			APIGroups:     []string{""},
+			Resources:     []string{"configmaps"},
+			ResourceNames: []string{"coreruleset-default"},
+			Verbs:         []string{"get"},
+		},
 		// Access to statistics.
 		{
 			APIGroups: []string{""},
@@ -1843,6 +1850,13 @@ func (c *apiServerComponent) tigeraNetworkAdminClusterRole() *rbacv1.ClusterRole
 			Resources: []string{"serviceaccounts"},
 			Verbs:     []string{"list"},
 		},
+		// Access for WAF API to read in coreruleset configmap
+		{
+			APIGroups:     []string{""},
+			Resources:     []string{"configmaps"},
+			ResourceNames: []string{"coreruleset-default"},
+			Verbs:         []string{"get"},
+		},
 		// Access to statistics.
 		{
 			APIGroups: []string{""},

pkg/render/apiserver_test.go

@@ -1369,6 +1369,12 @@ var (
 			Resources: []string{"serviceaccounts"},
 			Verbs:     []string{"list"},
 		},
+		{
+			APIGroups:     []string{""},
+			Resources:     []string{"configmaps"},
+			ResourceNames: []string{"coreruleset-default"},
+			Verbs:         []string{"get"},
+		},
 		{
 			APIGroups: []string{""},
 			Resources: []string{"services/proxy"},
@@ -1518,6 +1524,12 @@ var (
 			Resources: []string{"serviceaccounts"},
 			Verbs:     []string{"list"},
 		},
+		{
+			APIGroups:     []string{""},
+			Resources:     []string{"configmaps"},
+			ResourceNames: []string{"coreruleset-default"},
+			Verbs:         []string{"get"},
+		},
 		{
 			APIGroups: []string{""},
 			Resources: []string{"services/proxy"},