cmd/k8s-operator/deploy: replace wildcards in Kubernetes Operator RBAC role definitions with verbs

cmd/k8s-operator/deploy: replace wildcards in Kubernetes Operator RBAC role definitions with verbs fixes: #13168 Signed-off-by: Pierig Le Saux <pierig@n3xt.io>
1 month ago · 2105773874
parent 01aa01f310
commit 2105773874
3 changed files with 45 additions and 10 deletions
--- a/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
+++ b/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
@ -14,10 +14,10 @@ metadata:
 rules:
 - apiGroups: [""]
  resources: ["events", "services", "services/status"]
-  verbs: ["*"]
+  verbs: ["create","delete","deletecollection","get","list","patch","update","watch"]
 - apiGroups: ["networking.k8s.io"]
  resources: ["ingresses", "ingresses/status"]
-  verbs: ["*"]
+  verbs: ["create","delete","deletecollection","get","list","patch","update","watch"]
 - apiGroups: ["networking.k8s.io"]
  resources: ["ingressclasses"]
  verbs: ["get", "list", "watch"]
@ -49,10 +49,10 @@ metadata:
 rules:
 - apiGroups: [""]
  resources: ["secrets", "serviceaccounts", "configmaps"]
-  verbs: ["*"]
+  verbs: ["create","delete","deletecollection","get","list","patch","update","watch"]
 - apiGroups: ["apps"]
  resources: ["statefulsets", "deployments"]
-  verbs: ["*"]
+  verbs: ["create","delete","deletecollection","get","list","patch","update","watch"]
 - apiGroups: ["discovery.k8s.io"]
  resources: ["endpointslices"]
  verbs: ["get", "list", "watch"]
--- a/cmd/k8s-operator/deploy/chart/templates/proxy-rbac.yaml
+++ b/cmd/k8s-operator/deploy/chart/templates/proxy-rbac.yaml
@ -15,7 +15,7 @@ metadata:
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
-  verbs: ["*"]
+  verbs: ["create","delete","deletecollection","get","list","patch","update","watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
--- a/cmd/k8s-operator/deploy/manifests/operator.yaml
+++ b/cmd/k8s-operator/deploy/manifests/operator.yaml
@ -2428,14 +2428,28 @@ rules:
        - services
        - services/status
      verbs:
-        - '*'
+        - create
+        - delete
+        - deletecollection
+        - get
+        - list
+        - patch
+        - update
+        - watch
    - apiGroups:
        - networking.k8s.io
      resources:
        - ingresses
        - ingresses/status
      verbs:
-        - '*'
+        - create
+        - delete
+        - deletecollection
+        - get
+        - list
+        - patch
+        - update
+        - watch
    - apiGroups:
        - networking.k8s.io
      resources:
@ -2493,14 +2507,28 @@ rules:
        - serviceaccounts
        - configmaps
      verbs:
-        - '*'
+        - create
+        - delete
+        - deletecollection
+        - get
+        - list
+        - patch
+        - update
+        - watch
    - apiGroups:
        - apps
      resources:
        - statefulsets
        - deployments
      verbs:
-        - '*'
+        - create
+        - delete
+        - deletecollection
+        - get
+        - list
+        - patch
+        - update
+        - watch
    - apiGroups:
        - discovery.k8s.io
      resources:
@ -2521,7 +2549,14 @@ rules:
      resources:
        - secrets
      verbs:
-        - '*'
+        - create
+        - delete
+        - deletecollection
+        - get
+        - list
+        - patch
+        - update
+        - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding