Reduce RBAC

Fixes: #47 - I don't think create/delete are needed for namespace, which is user-managed. Patch/update might be needed to manage the status. The same goes for ClusterPullSecret - which is a user-managed resource. Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>
alexellis · Nov 18, 2024 · a691755 · a691755
1 parent 77b2b0b
commit a691755
Show file tree

Hide file tree

Showing 6 changed files with 4 additions and 44 deletions.
diff --git a/.gitignore b/.gitignore
@@ -23,3 +23,4 @@ bin
 *.swo
 *~
 /registry-creds
+/kubeconfig
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -9,21 +9,15 @@ rules:
   resources:
   - namespaces
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - ""
   resources:
   - namespaces/status
   verbs:
   - get
-  - patch
-  - update
 - apiGroups:
   - ""
   resources:
@@ -69,12 +63,8 @@ rules:
   resources:
   - clusterpullsecrets
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - ops.alexellis.io

diff --git a/controllers/clusterpullsecret_controller.go b/controllers/clusterpullsecret_controller.go
@@ -26,7 +26,7 @@ type ClusterPullSecretReconciler struct {
 	SecretReconciler *SecretReconciler
 }
 
-// +kubebuilder:rbac:groups=ops.alexellis.io,resources=clusterpullsecrets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=ops.alexellis.io,resources=clusterpullsecrets,verbs=get;list;watch
 // +kubebuilder:rbac:groups=ops.alexellis.io,resources=clusterpullsecrets/status,verbs=get;update;patch
 
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete

diff --git a/controllers/namespace_watcher.go b/controllers/namespace_watcher.go
@@ -26,8 +26,8 @@ type NamespaceWatcher struct {
 	SecretReconciler *SecretReconciler
 }
 
-// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=namespaces/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch
+// +kubebuilder:rbac:groups=core,resources=namespaces/status,verbs=get
 
 func (r *NamespaceWatcher) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	r.Log.WithValues("namespace", req.NamespacedName)

diff --git a/kubeconfig b/kubeconfig
diff --git a/manifest.yaml b/manifest.yaml
@@ -105,21 +105,15 @@ rules:
   resources:
   - namespaces
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - ""
   resources:
   - namespaces/status
   verbs:
   - get
-  - patch
-  - update
 - apiGroups:
   - ""
   resources:
@@ -165,12 +159,8 @@ rules:
   resources:
   - clusterpullsecrets
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - ops.alexellis.io
@@ -241,4 +231,3 @@ spec:
             cpu: 100m
             memory: 45Mi
       terminationGracePeriodSeconds: 10
-      automountServiceAccountToken: true
-Original file line number
+Diff line change
@@ Expand Up / @@ -23,3 +23,4 @@ bin @@
     *.swo
     *~
     /registry-creds
+    /kubeconfig