From 627e07ea5a4d8e6679bd1308d4d6e7b989a3bf76 Mon Sep 17 00:00:00 2001
From: Calum Murray <cmurray@redhat.com>
Date: Mon, 17 Nov 2025 16:23:35 -0500
Subject: [PATCH] fix: restmapper checks permissions on resources, not just
 kinds

Signed-off-by: Calum Murray <cmurray@redhat.com>
---
 pkg/kubernetes/accesscontrol_restmapper.go | 34 ++++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/pkg/kubernetes/accesscontrol_restmapper.go b/pkg/kubernetes/accesscontrol_restmapper.go
index 06269480..a55bdd6e 100644
--- a/pkg/kubernetes/accesscontrol_restmapper.go
+++ b/pkg/kubernetes/accesscontrol_restmapper.go
@@ -40,11 +40,41 @@ func (a AccessControlRESTMapper) KindsFor(resource schema.GroupVersionResource)
 }
 
 func (a AccessControlRESTMapper) ResourceFor(input schema.GroupVersionResource) (schema.GroupVersionResource, error) {
-	return a.delegate.ResourceFor(input)
+	gvr, err := a.delegate.ResourceFor(input)
+	if err != nil {
+		return schema.GroupVersionResource{}, err
+	}
+
+	gvk, err := a.delegate.KindFor(gvr)
+	if err != nil {
+		return schema.GroupVersionResource{}, err
+	}
+
+	if !isAllowed(a.staticConfig, &gvk) {
+		return schema.GroupVersionResource{}, isNotAllowedError(&gvk)
+	}
+
+	return gvr, nil
 }
 
 func (a AccessControlRESTMapper) ResourcesFor(input schema.GroupVersionResource) ([]schema.GroupVersionResource, error) {
-	return a.delegate.ResourcesFor(input)
+	gvrs, err := a.delegate.ResourcesFor(input)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, gvr := range gvrs {
+		gvk, err := a.delegate.KindFor(gvr)
+		if err != nil {
+			return nil, err
+		}
+
+		if !isAllowed(a.staticConfig, &gvk) {
+			return nil, isNotAllowedError(&gvk)
+		}
+	}
+
+	return gvrs, nil
 }
 
 func (a AccessControlRESTMapper) RESTMapping(gk schema.GroupKind, versions ...string) (*meta.RESTMapping, error) {