Merge branch 'main' into enh/allow-use-of-client-public-keys

.github/workflows/reuse-check.yaml

@@ -0,0 +1,11 @@
+name: REUSE Compliance Check
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - name: REUSE Compliance Check
+        uses: fsfe/reuse-action@3ae3c6bdf1257ab19397fab11fd3312144692083 # v4.0.0

.reuse/dep5

@@ -9,19 +9,22 @@ Comment:
 # --------------------------------------------------
 # source code
 Files:
+  .github/*
   .gitignore
   .golangci.yaml
   .github/dependabot.yaml
   CODEOWNERS
   VERSION
   charts/gardener-extension-shoot-lakom-service/.helmignore
   charts/gardener-extension-shoot-lakom-service/templates/_helpers.tpl
-  charts/gardener-extension-shoot-lakom-service/templates/_versions.tpl
+  charts/gardener-extension-shoot-lakom-admission/.helmignore
+  charts/gardener-extension-shoot-lakom-admission/templates/_helpers.tpl
   charts/lakom/.helmignore
   charts/lakom/templates/_helpers.tpl
   charts/lakom/templates/_versions.tpl
   config/lakom/cosign/password
   example/controller-registration.yaml
+  local-setup/.gitignore
   go.mod
   go.sum
   *.json

Dockerfile

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 ############# builder
-FROM golang:1.23.1 AS builder
+FROM golang:1.23.2 AS builder
 
 ARG EFFECTIVE_VERSION
 ARG TARGETARCH

VERSION

@@ -1 +1 @@
-v0.14.0-dev
+v0.16.0-dev

charts/gardener-extension-shoot-lakom-admission/Chart.yaml

@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 apiVersion: v1
 appVersion: "1.0"
 description: A Helm chart for the admission controller of gardener-extension-shoot-lakom

charts/gardener-extension-shoot-lakom-admission/charts/application/Chart.yaml

@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 apiVersion: v1
 description: A Helm chart to deploy the gardener-extension-shoot-lakom-admission application related resources
 name: application

charts/gardener-extension-shoot-lakom-admission/charts/application/templates/rbac.yaml

@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

charts/gardener-extension-shoot-lakom-admission/charts/application/templates/serviceaccount.yaml

@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 {{- if and .Values.global.virtualGarden.enabled ( not .Values.global.virtualGarden.user.name ) }}
 apiVersion: v1
 kind: ServiceAccount

charts/gardener-extension-shoot-lakom-admission/charts/runtime/Chart.yaml

@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 apiVersion: v1
 description: A Helm chart to deploy the gardener-extension-shoot-lakom-admission runtime related resources
 name: runtime

charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/deployment.yaml

@@ -1,3 +1,8 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:

charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/poddisruptionbudget.yaml

@@ -1,3 +1,8 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:

charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/rbac.yaml

@@ -1,3 +1,8 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/secret-kubeconfig.yaml

@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 {{- if .Values.global.kubeconfig }}
 apiVersion: v1
 kind: Secret

charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/service.yaml

@@ -1,3 +1,8 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
 apiVersion: v1
 kind: Service
 metadata:

charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/serviceaccount.yaml

@@ -1,3 +1,8 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:

charts/gardener-extension-shoot-lakom-admission/charts/runtime/templates/vpa.yaml

@@ -1,3 +1,8 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
 {{- if .Values.global.vpa.enabled}}
 apiVersion: autoscaling.k8s.io/v1
 kind: VerticalPodAutoscaler

charts/gardener-extension-shoot-lakom-admission/values.yaml

@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
 global:
   virtualGarden:
     enabled: false

example/controller-registration.yaml

@@ -7,7 +7,7 @@ helm:
   rawChart: H4sIAAAAAAAAA+09a2/bOLbz2b+Cq8xi22Ilv5OOgV5c1/G0QdvEiDPdu7i4yNASY3MjiVpScuppu799D0lJ1suvJHXTuz4YpDLFxyF53jzUTDF3iE+4ST6FxBeU+aaYMRaaLr5lnikIn1Ob1H96CDQATrpd9S9A8V/13Gx3mq1u6/hYljdPWp3uT6j7oFG3hEiEmCP0E4dJr6u36f0PCtPt9t+aEdejU59xsvsYcoOPO52V+w/bnt//VrPTaP2EGo8/3TL8h+//ERrhMCTcFyhkSO8wupsRH00i6jrUn6IA27d4SoRVO0JXMyqQiIKA8RAegCpcNHXZBHk4tGdQ+6+IExeHdE6gXTjLlGPfgQ58MoW3zEfPAk5u6CfioDsK9f703EIXvrtAzFctJUooIBy51CdWzTodX49DwA26GDDPgw4+DsbIoVzUrCkN6+qvRr9mTf7gdfU3KZhN6/JP8lPM/fqyownMLwrQDXWJqL2wxF0Afyf4Fv6GHjz/C6p+xJyySKCz0yEMGHD2D2KHNYs6BNd1PSiqWXNhM4fUa997V7eHLfl/MMM8tBbYc+8xxib+b3U7Rf5vnrQP/L8PwAH9SLjc9x6aN2s4CNKfRtNqGDWHCJvTIFRFffQW9ACyJTWgG8ZROCPoTUxC6L0kGTTWJIOGCUGpimNJVCBCfOyRHtqO6mrzBJWGBbj8QFz148CW/O8w25qye46xif9PivZfq9FuHx/4fx9Qr6Px6PR/zF9B+w1YsACVOQuvgBh6qNVotdC4P0LjIQIOxr76gW9AUVIcEmQzL8D+Qir2pQywmR9yOolAV4tavV5L+n8PVOQLYp5BtZDeUMJBmoBlMSNmC1gb6k1Zbyq7kF2LGTJtZEwwPPz8+U3/8nR4Pry8ftsfvLs+Pbv8Wk9qmmo85rpAwZxMqQi5Mi8saFhBx8hCPz+zcYgsqw7/fRxejs8uzp/HP8kn7AUuqa/qU6q/pVjrVfRvyImARaUMplhMEh9PwLJAuflpC0pJxrhQWlpSmtqMc7At0BIJlEOiFmR7f7BM3JL/QwIrA5iL+3iCO/t/rWar0z74f/uAnff/Gmx+sMuFFQbb2oKb/b92Yf/b3ePuQf7vAz5/NhFywBMDt8ugHggWA5lfv9YQkm/oDZphMVKeGjLEDLe6xz0DWR+xG4FDqOpbIZ6itEXAqR/eIOPP4r//LIo1OQmYoKAaFuu6IK4gVR327t0hKCj4kXlUz8msXYIdAl4rSF0gf+roBVjLD6ZuYyaN0r5ly++9pTvBzvxvu8AxhIMRAH+F6bLpFFTXWtdwo/3X6Rb4//i4ffD/9gJH39D8O6odbWf8maZZyzqiN8DJfjihoaWfLMrq8yZ2AxBAtVvqOz000GT4qyLDmkdC7OAQ94DjXTwBCSKfUKajhM7r4SIAB9QQhDgG1NH+6AZml79qIiC27DWmfPkI0glzqKUHQ+iWLM5Vf8AVcVFcYZsRTF03bsiJfElO5axQyCMC5SqY1kO30YRwnwA3Wi/W9vtC/XqxTiLdl/81ro/D/93mSZn/Tw78vw/4wfl/pFkmy/9bc/SS33YRGYkY+IcATFWLkHrkHVkAl4ofS/dL2J3/mX9Dpx4OMi102UoZsIH/W2X9f9LuHvh/L/Ak+X/eTLhcEdYHHOzK4ZYmybiygLGgxefPyLoEkx0LYp0nxdIdSDrO0HEPfVHMnUVLjWCl44p4kFRQWLbLIieRVE3VPjuPSIdwVLkNfsvUH0UTl9ogPED4AHYh+7sMMSWuzDIEJJ/z9dEXBD3DcqJj7eggJOXTaxllDzkOEpOE3QFi51usga5+hP5G0B2GbkMGDo2IOEHhDCdRLAfMEpvQOREIS/8JR26I5hJbxMBHk2aKIZ1GGcjCvs9CfdZHBYJnsIWESM77ZI3Z8ixhrmecYjGYEfsWzcIwEL16fQotogmsgVeXbfQfKgQ0qb8Ea+FIPcNrDxbEfNluN7q/dH5pqPAa0C35BLLL16jAf3ezBXLoVGEFS0ac5bCnUMzkKSQsoTx8gHmCpBMICBr9Hm/L77IhzBbDlGZA8lI7WOgK5vO7R/iUoGcOtcPnv0vTL5Qd+QLw8ASiIWwZLCuWfSZjxuuqNkYiZSTEZMQKBxnLhRSqUBN4iRgLVKg7jrkCOx4sUSyqY5oykv16Fk8MSCo7gecJVUSCyJPZM+lYjyLXHRObk1BoWqog1RX1k+6w67K736C6VOCOqrW6r6rKuY7OQK7YQKWXOkZKN/VVrp9055BJNNWM2sttzogzKfP86cqeM02tQhtY1IRPbnAa2Fh2Dq1CKRSZf59hKlpXDbhG/j9A/6tIy5zYIOtNBtxyx2lIqoyADfq/2Thu5fV/u9FpNQ76fx/wZPR/HG7MhfE+KuK6SGhLkvLOZkIFgWfYK6ZvqQmh92qS3tKIyLsROAisjJ8ODszu6KzoiPpAsn4VLllbRk1FXOcZU1o1ZTujcq1T+6JTiJ1+b4o9wGPCzvLfIYHLFtLQ2jodaL38b7ZaJ82C/9dpNw/5f3uBJyP/s4IdZJ6op9L9NKW4B4r3LQV5UROppMFLIljE7cRczNjkWt7z5H3RDtfNe7GxnRWk30hhSOfIErO6cqz2oHDUmEA2Jp5jCjMC8ggXSUho5bLomNrSuk3japzMqcTyLZjnjC/eU4/CLLrqTQDOL84b+HHhgEWgqhQ2Qh3KsTgor0Lm7zPr/IgrfZ+1SgRpjF2GnlV/RbJSRwicQb0ZiTK4ljr/gv4ZsTCDWrGdzDdZ6VlAPU5tMZI5KRt7EjbHwZKik0q2dNlF5K2JEKrxqW+7kUNkAjC4w+hn6ypeEus1zGYkk4aNTVFG4zmyAFF9IA1jLpHd0ozcCulKa/A+c1jtKa2fSCooJLg5In5UMr4f00uA6neM38oToCKDM5MDT1KPmCDa1VkWSH3lgxNnu/YOcMFuLQIVHzPjOru2nrjMviWOaVOHF9om0ilDYtMQPZObXyWJnqNmRkiAyvRBJmY4mjl9WJp+6YVkNXJDOCfOaQSkNR0DgTqR9OvPlB6Ji4efiB2plNxMUxPdEam+e6jZaGTK9XjxWFeEe73cy5iyxjmxmQUlQoefADMVQhLlGqY8+eytoMhSbYRYIDPeYCx05le81sHA8jByoHtR90Y8E2J/XFzXMY6GkAXMZdOFOj4y8jjNmAjl+hmrBALIHgaCZDFwsRDned4XCwGaxvwlJYR4Zfq2Lenz/L6SQgXP5Jgy8ARWYjof4PW+OGf+JZjJ6Xm1BsVHI07nYGNOyVDY2MU6nVwFqNJ60Le0KXUki2SXVBsLl1qcnOroVvxaajFM/fhAXq/7A+SgktQ5EZ8kRVmlajK2OWLA84ucXtUJSEH6Midm+TRDKyYyY6X2qk5Cu553uTLqLtfCpTfEXtguMT38SbaHHeEy7s2J/CFvsbxaoebTptay2Xjh2yKLoxxjRrAbzpRy3H2UTONN42jj2NQ8JndoaQCt6l03uUha9JenDIW+CylaJnVeZbe1nPVlVawCDycEh2bqNrzacH5SbAgzJ3cmqAnYVOzC3sJUnHUrp9tZqt1Z3GysW1VvkjkBJ8nEjiPF86ve2j1R9l2hl9j0266brJ2YtQ/lbbAsXadcOdrW6syJRs3A8euccmQhs5nbQ1eDUVru0jmslhAgOCY5sSGPj96QMC+c5a20HqrrBfmjoCbXIFu9ghIEkLrE9+3V1SjzQqpbit1T4uJFvINSMy8lJhAg3Rlv2Wqxd7S7aQXiz7MbrXfq/bB/Ory8Hr4fDq7OLs6vz/sfhuNRfzDM9KsU5a/gSOSndUOJ61ySm6IGVeUjNefESbJSLkzr7mjtJ/iefei/GX4EZC8ury8+Di//dnl2VcIVFlu50JkYar0yqJrDJqehSwjyfBQhIYS4sOoMeNniC2hV6i3jss1GcaDC2HPmRh75IPW9KO9ZPiEmPS5PwJPN9PqXdVOmnqRHedpX0Pn33JgNvtcK/ErbtB1+ueXSi1UyItaukp0cO2SJd6fkhAQAaa9gRMa2apUVoEELhPL7nZZ+14VfM+VHOWhJID7C/MAc6LnTamTmdjiGeEzYOf4PvqRDBY/UjdBJ5EzJxoOATee/7Xbx/sdxq3W4/7EXeJLx/0A5TssTgBFzTlOae61obj9HAU/kTDeJPoEr9psfh9nBQ0bNJx7ujlWRIB6I+IGkFw6e13+9Qk2rdWw2wOUa4ECfGFDo7x10HdOA9YaG8aMePvK1JbsAWhgCZirnJXa+++4dXoi+DDMcDqp3hJ3lP59ge8cPQWyQ/+1up5j/3250Dvm/e4EnIf+P0NXF6cWzeeDLsvnzHrokHpiFwPU6Q1N+CSbOYBSIgbyJr0qnV6SpUJb+oqxLFL3iKJwxTv/QV6hvXwp9oyB/l+CSuWRdnnHxDLO3Tlw+Cb3BI1e6NKbMYn7DWRTEt5bk+Xot53jK0mVmh3wJEnsSv5DqVv7rUqEf7qSWKXe7cqXKY8W3iO450KpT5fI4HvbB0XDS0vx4xguj3LlhlLtJbYVvvzLLqoWfddjpMNoOAX01LXmKAqBost1M00NLPbzQubsalXmZNCpX0GaMO9TPMlt5IEWphd5gLKzcwM0rutsYSbky7vS7rWLBledNaZQ2j3y8ysmuPEwOvYYC6k//n4kjmFgc6kt2c8261NLLExnx/JBVENFEfrVLCUTd8zh3KPYtHYnvreZXws72XxLD2sEE3HT/q9lolb//cMj/2wustf/a3/v+V8ygD03rlhdptvb4SzlYmZyRlelsN1zesnFdNZSpM6RMICzQBMKME0lMfUyG/vK/nw35aGx3yvZXIzn2MnrG1WBkfP2/v2yNVzplM4kTxAhkAgWARyH1IHfiAqPqTo2vu4wcMMdUWicdeXmKCitCZR5fztZ5EioqibTojINY85yNSnGW74Zg5rDVrDgn3TrLLx6+fKKqiXaHc9vvLcEO8BC4r/7H2mbaygzY9P2H45Pi/e9us9s56P99wJOI/2zS/4mB/p8U8weXiKlD7vwaXLFbkmbOPcL+78z/8wDv+h3gTed/5e+/tE5azQP/7wOeDP8X0hYkmcV34wu3Pg3JGTKJVJqfaQjFiCUGVAspvBwxpx/Xq/w+zDcQHIntWDGTxErOZoTmy7S0yeTNQSFN8lEyCXX3ztz1qN/XfsgydcMjHuM6e5WTf0aUEwcZq/G2ln1YuqmOu+uWxpoZV7Qsfp0vsTzTXLCqC2GyvHQp7H4pKPJMUUXssuuvS3TWSaalnFC2srWs96Nfjt1S/sff57jfB+A3xX+Oy99/7bQO33/eCzwJ+Z/hzF7VZ5tr2bs1PdSu1XSevpKiyRdAe4hEnAXEdOQtHm4Ft1PLIfN6SuHx/7Whri8JpeX17BFLxdhSME1lJiBYP1LYBJm0/7ObcxaO5Kf6QA7VqlLtQI5IUXMU38fvqedCfmFclp/MDWPWBPNKNPOtFHrzptWy2rXCZdXEUKzlDkakxIa5xMrFDqIe6ja8WlYjNFsvP9AayD1ZJ/1GTZxCWaW5yuol6eq4Az1tEraGVNZGrZYJM6iPGKxK9l/eHUnvNKQaNHvhQJJxTd6JTa8kbKimT3aSO73lJHygPlmz9Pkmvc1yS4LMN510SbLZt2TRjIvkrZipvL0z83roctwfj/vm6N1g3DTnzeuuOX7bb3WP07oqE/SLmf4G+pHwevjm7ByNfnv9/myA3g3/rgozlZqtdqfYZnh+uqJFBsvWPrHEE9vZDstlLnsPvWy8lPuQCUWpMrm+K79XlJBM9ReIcm+rPiuUVCh9KKj0maDlvaY1H/l5NBfuAAc4wAEOcIADHOAABzjAAbaCfwODb+9PAHgAAA==
   values:
     image:
-      tag: v0.14.0-dev
+      tag: v0.16.0-dev
 ---
 apiVersion: core.gardener.cloud/v1beta1
 kind: ControllerRegistration

pkg/controller/lifecycle/actuator.go

@@ -685,11 +685,10 @@ func getShootResources(webhookCaBundle []byte, extensionNamespace, shootAccessSe
 				ObjectSelector:    &objectSelector,
 			}},
 		},
-		&rbacv1.Role{
+		&rbacv1.ClusterRole{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      constants.LakomResourceReader,
-				Namespace: metav1.NamespaceSystem,
-				Labels:    getLabels(),
+				Name:   constants.LakomResourceReader,
+				Labels: getLabels(),
 			},
 			Rules: []rbacv1.PolicyRule{
 				{
@@ -699,25 +698,7 @@ func getShootResources(webhookCaBundle []byte, extensionNamespace, shootAccessSe
 				},
 			},
 		},
-		&rbacv1.RoleBinding{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      constants.LakomResourceReader,
-				Namespace: metav1.NamespaceSystem,
-				Labels:    getLabels(),
-			},
-			RoleRef: rbacv1.RoleRef{
-				APIGroup: "rbac.authorization.k8s.io",
-				Kind:     "Role",
-				Name:     constants.LakomResourceReader,
-			},
-			Subjects: []rbacv1.Subject{
-				{
-					Kind:      rbacv1.ServiceAccountKind,
-					Name:      shootAccessServiceAccountName,
-					Namespace: metav1.NamespaceSystem,
-				},
-			},
-		},
+		getRoleBinding(scope, shootAccessServiceAccountName),
 	)
 
 	if err != nil {
@@ -752,3 +733,38 @@ func getClientKeys(ctx context.Context, client client.Client, resources []v1beta
     return clientKeys, nil
 }
 
+func getRoleBinding(scope lakom.ScopeType, shootAccessServiceAccountName string) client.Object {
+	roleRef := rbacv1.RoleRef{
+		APIGroup: "rbac.authorization.k8s.io",
+		Kind:     "ClusterRole",
+		Name:     constants.LakomResourceReader,
+	}
+	subjects := []rbacv1.Subject{
+		{
+			Kind:      rbacv1.ServiceAccountKind,
+			Name:      shootAccessServiceAccountName,
+			Namespace: metav1.NamespaceSystem,
+		},
+	}
+
+	if scope == lakom.Cluster {
+		return &rbacv1.ClusterRoleBinding{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   constants.LakomResourceReader,
+				Labels: getLabels(),
+			},
+			RoleRef:  roleRef,
+			Subjects: subjects,
+		}
+	}
+
+	return &rbacv1.RoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      constants.LakomResourceReader,
+			Namespace: metav1.NamespaceSystem,
+			Labels:    getLabels(),
+		},
+		RoleRef:  roleRef,
+		Subjects: subjects,
+	}
+}

pkg/controller/lifecycle/actuator_test.go

@@ -84,8 +84,8 @@ var _ = Describe("Actuator", func() {
 			Expect(manifests).To(ConsistOf(
 				expectedSeedValidatingWebhook(caBundle, extensionNamespace, managedByGardenerObjectSelector, kubeSystemNamespaceSelector),
 				expectedShootMutatingWebhook(caBundle, extensionNamespace, managedByGardenerObjectSelector, kubeSystemNamespaceSelector),
-				expectedShootRole(),
-				expectedShootRoleBinding(shootAccessServiceAccountName),
+				expectedShootClusterRole(),
+				expectedShootRoleBinding(shootAccessServiceAccountName, scope),
 			))
 		})
 
@@ -132,16 +132,17 @@ var _ = Describe("Actuator", func() {
 		)
 
 		DescribeTable("Should ensure the rolebinding is correctly set",
-			func(saName string) {
-				resources, err := getShootResources(caBundle, extensionNamespace, saName, scope)
+			func(saName string, lakomScope lakom.ScopeType) {
+				resources, err := getShootResources(caBundle, extensionNamespace, saName, lakomScope)
 				Expect(err).ToNot(HaveOccurred())
 				manifests, err := test.ExtractManifestsFromManagedResourceData(resources)
 				Expect(err).ToNot(HaveOccurred())
 
-				Expect(manifests).To(ContainElement(expectedShootRoleBinding(saName)))
+				Expect(manifests).To(ContainElement(expectedShootRoleBinding(saName, lakomScope)))
 			},
-			Entry("ServiceAccount name: test", "test"),
-			Entry("ServiceAccount name: foo-bar", "foo-bar"),
+			Entry("ServiceAccount name: test, scope: KubeSystemManagedByGardener", "test", lakom.KubeSystemManagedByGardener),
+			Entry("ServiceAccount name: foo-bar, scope: KubeSystem", "foo-bar", lakom.KubeSystem),
+			Entry("ServiceAccount name: foo-bar, scope: Cluster", "foo-bar", lakom.Cluster),
 		)
 
 		DescribeTable("Should return the correct object and namespace selectors based on scope",
@@ -326,16 +327,15 @@ webhooks:
 `
 }
 
-func expectedShootRole() string {
+func expectedShootClusterRole() string {
 	return `apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
   creationTimestamp: null
   labels:
     app.kubernetes.io/name: lakom
     app.kubernetes.io/part-of: shoot-lakom-service
   name: gardener-extension-shoot-lakom-service-resource-reader
-  namespace: kube-system
 rules:
 - apiGroups:
   - ""
@@ -346,7 +346,27 @@ rules:
 `
 }
 
-func expectedShootRoleBinding(saName string) string {
+func expectedShootRoleBinding(saName string, lakomScope lakom.ScopeType) string {
+	if lakomScope == lakom.Cluster {
+		return `apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/name: lakom
+    app.kubernetes.io/part-of: shoot-lakom-service
+  name: gardener-extension-shoot-lakom-service-resource-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gardener-extension-shoot-lakom-service-resource-reader
+subjects:
+- kind: ServiceAccount
+  name: ` + saName + `
+  namespace: kube-system
+`
+	}
+
 	return `apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -358,7 +378,7 @@ metadata:
   namespace: kube-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
+  kind: ClusterRole
   name: gardener-extension-shoot-lakom-service-resource-reader
 subjects:
 - kind: ServiceAccount