Tighten RBAC permissions (kubernetes-sigs#1526)

kishorj · Timothy-Dougherty · commit fd6d32d68d39 · 2023-11-09T11:19:10.000+11:00
* tighten rbac permissions

* remove patch/update for pods
diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml
@@ -9,24 +9,7 @@ rules:
     resources:
       - configmaps
     verbs:
-      - get
-      - list
-      - watch
       - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps/status
-    verbs:
       - get
       - update
       - patch
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -20,12 +20,6 @@ rules:
   - events
   verbs:
   - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -49,15 +43,12 @@ rules:
   verbs:
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - ""
   resources:
   - pods/status
   verbs:
-  - get
   - patch
   - update
 - apiGroups:
@@ -83,7 +74,6 @@ rules:
   resources:
   - services/status
   verbs:
-  - get
   - patch
   - update
 - apiGroups:
@@ -103,7 +93,6 @@ rules:
   resources:
   - targetgroupbindings/status
   verbs:
-  - get
   - patch
   - update
 - apiGroups:
@@ -121,7 +110,6 @@ rules:
   resources:
   - ingresses/status
   verbs:
-  - get
   - patch
   - update
 - apiGroups:
@@ -139,6 +127,5 @@ rules:
   resources:
   - ingresses/status
   verbs:
-  - get
   - patch
   - update
diff --git a/controllers/elbv2/targetgroupbinding_controller.go b/controllers/elbv2/targetgroupbinding_controller.go
@@ -67,14 +67,14 @@ type targetGroupBindingReconciler struct {
 }
 
 // +kubebuilder:rbac:groups=elbv2.k8s.aws,resources=targetgroupbindings,verbs=get;list;watch;update;patch;create;delete
-// +kubebuilder:rbac:groups=elbv2.k8s.aws,resources=targetgroupbindings/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;update;patch
-// +kubebuilder:rbac:groups="",resources=pods/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=elbv2.k8s.aws,resources=targetgroupbindings/status,verbs=update;patch
+// +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=pods/status,verbs=update;patch
 // +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=endpoints,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
-// +kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;update;patch;create;delete
+// +kubebuilder:rbac:groups="",resources=events,verbs=create
 
 func (r *targetGroupBindingReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	return runtime.HandleReconcileError(r.reconcile(req), r.logger)
diff --git a/controllers/ingress/group_controller.go b/controllers/ingress/group_controller.go
@@ -87,12 +87,12 @@ type groupReconciler struct {
 }
 
 // +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses,verbs=get;list;watch;update;patch
-// +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=networking.k8s.io,resources=ingresses/status,verbs=update;patch
 // +kubebuilder:rbac:groups=extensions,resources=ingresses,verbs=get;list;watch;update;patch
-// +kubebuilder:rbac:groups=extensions,resources=ingresses/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=extensions,resources=ingresses/status,verbs=update;patch
 // +kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
-// +kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;update;patch;create;delete
+// +kubebuilder:rbac:groups="",resources=events,verbs=create
 
 // Reconcile
 func (r *groupReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
diff --git a/controllers/service/service_controller.go b/controllers/service/service_controller.go
@@ -69,8 +69,8 @@ type serviceReconciler struct {
 }
 
 // +kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch;update;patch
-// +kubebuilder:rbac:groups="",resources=services/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;update;patch;create;delete
+// +kubebuilder:rbac:groups="",resources=services/status,verbs=update;patch
+// +kubebuilder:rbac:groups="",resources=events,verbs=create
 
 func (r *serviceReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	return runtime.HandleReconcileError(r.reconcile(req), r.logger)

Original file line number	Diff line number	Diff line change
`@@ -69,8 +69,8 @@ type serviceReconciler struct {`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`// +kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch;update;patch`
`72`		`-// +kubebuilder:rbac:groups="",resources=services/status,verbs=get;update;patch`
`73`		`-// +kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;update;patch;create;delete`
	`72`	`+// +kubebuilder:rbac:groups="",resources=services/status,verbs=update;patch`
	`73`	`+// +kubebuilder:rbac:groups="",resources=events,verbs=create`
`74`	`74`
`75`	`75`	`func (r *serviceReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {`
`76`	`76`	`return runtime.HandleReconcileError(r.reconcile(req), r.logger)`