From 210577387494ff68238a97491d85b86bb49cec33 Mon Sep 17 00:00:00 2001 From: pierig-n3xtio <154346818+pierig-n3xtio@users.noreply.github.com> Date: Tue, 20 Aug 2024 09:44:50 -0400 Subject: [PATCH] cmd/k8s-operator/deploy: replace wildcards in Kubernetes Operator RBAC role definitions with verbs cmd/k8s-operator/deploy: replace wildcards in Kubernetes Operator RBAC role definitions with verbs fixes: #13168 Signed-off-by: Pierig Le Saux --- .../deploy/chart/templates/operator-rbac.yaml | 8 ++-- .../deploy/chart/templates/proxy-rbac.yaml | 2 +- .../deploy/manifests/operator.yaml | 45 ++++++++++++++++--- 3 files changed, 45 insertions(+), 10 deletions(-) diff --git a/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml b/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml index 1a1846439..9f2a4c2f0 100644 --- a/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml +++ b/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml @@ -14,10 +14,10 @@ metadata: rules: - apiGroups: [""] resources: ["events", "services", "services/status"] - verbs: ["*"] + verbs: ["create","delete","deletecollection","get","list","patch","update","watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses", "ingresses/status"] - verbs: ["*"] + verbs: ["create","delete","deletecollection","get","list","patch","update","watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingressclasses"] verbs: ["get", "list", "watch"] @@ -49,10 +49,10 @@ metadata: rules: - apiGroups: [""] resources: ["secrets", "serviceaccounts", "configmaps"] - verbs: ["*"] + verbs: ["create","delete","deletecollection","get","list","patch","update","watch"] - apiGroups: ["apps"] resources: ["statefulsets", "deployments"] - verbs: ["*"] + verbs: ["create","delete","deletecollection","get","list","patch","update","watch"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"] diff --git a/cmd/k8s-operator/deploy/chart/templates/proxy-rbac.yaml b/cmd/k8s-operator/deploy/chart/templates/proxy-rbac.yaml index 31a034aaa..1c15c9119 100644 --- a/cmd/k8s-operator/deploy/chart/templates/proxy-rbac.yaml +++ b/cmd/k8s-operator/deploy/chart/templates/proxy-rbac.yaml @@ -15,7 +15,7 @@ metadata: rules: - apiGroups: [""] resources: ["secrets"] - verbs: ["*"] + verbs: ["create","delete","deletecollection","get","list","patch","update","watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/cmd/k8s-operator/deploy/manifests/operator.yaml b/cmd/k8s-operator/deploy/manifests/operator.yaml index 4633ba3a4..894ec1d69 100644 --- a/cmd/k8s-operator/deploy/manifests/operator.yaml +++ b/cmd/k8s-operator/deploy/manifests/operator.yaml @@ -2428,14 +2428,28 @@ rules: - services - services/status verbs: - - '*' + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch - apiGroups: - networking.k8s.io resources: - ingresses - ingresses/status verbs: - - '*' + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch - apiGroups: - networking.k8s.io resources: @@ -2493,14 +2507,28 @@ rules: - serviceaccounts - configmaps verbs: - - '*' + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch - apiGroups: - apps resources: - statefulsets - deployments verbs: - - '*' + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch - apiGroups: - discovery.k8s.io resources: @@ -2521,7 +2549,14 @@ rules: resources: - secrets verbs: - - '*' + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding