chore: Keep the rbac.authorization.k8s.io rules within a ClusterRole close to each other

NickLarsenNZ · NickLarsenNZ · commit c80b61c5582f · 2026-04-09T14:41:29.000+02:00
diff --git a/deploy/helm/opa-operator/templates/roles.yaml b/deploy/helm/opa-operator/templates/roles.yaml
@@ -52,6 +52,15 @@ rules:
       - get
       - list
       - patch
+  # Required to bind the product ClusterRole to the per-cluster ServiceAccount.
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+    verbs:
+      - bind
+    resourceNames:
+      - {{ include "operator.name" . }}-clusterrole
   # DaemonSet created per role group. Applied via SSA, tracked for orphan cleanup, and
   # owned by the controller.
   - apiGroups:
@@ -103,15 +112,6 @@ rules:
       - {{ include "operator.name" . }}clusters/status
     verbs:
       - patch
-  # Required to bind the product ClusterRole to the per-cluster ServiceAccount.
-  - apiGroups:
-      - rbac.authorization.k8s.io
-    resources:
-      - clusterroles
-    verbs:
-      - bind
-    resourceNames:
-      - {{ include "operator.name" . }}-clusterrole
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
