Merge pull request #2848 from OdedViner/core_group_rbac

Reducing the core group privileges

config/rbac/role.yaml

@@ -109,27 +109,24 @@ rules:
   - events
   - nodes
   - persistentvolumeclaims
+  - persistentvolumes
   - pods
   - secrets
   - serviceaccounts
   - services
   verbs:
-  - '*'
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
+  - create
+  - delete
   - get
+  - list
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:
-  - persistentvolumes
+  - namespaces
   verbs:
-  - '*'
   - get
-  - list
-  - watch
 - apiGroups:
   - k8s.cni.cncf.io
   resources:

controllers/storagecluster/reconcile.go

@@ -114,7 +114,7 @@ var validTopologyLabelKeys = []string{
 // +kubebuilder:rbac:groups=ceph.rook.io,resources=cephclusters;cephblockpools;cephfilesystems;cephnfses;cephobjectstores;cephobjectstoreusers;cephrbdmirrors;cephblockpoolradosnamespaces,verbs=get;list;watch;create;update;delete
 // +kubebuilder:rbac:groups=noobaa.io,resources=noobaas,verbs=get;list;watch;create;update;delete
 // +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=watch;create;delete;get;list
-// +kubebuilder:rbac:groups=core,resources=pods;services;serviceaccounts;endpoints;persistentvolumes;persistentvolumeclaims;events;configmaps;secrets;nodes,verbs=*
+// +kubebuilder:rbac:groups=core,resources=pods;services;serviceaccounts;endpoints;persistentvolumes;persistentvolumeclaims;events;configmaps;secrets;nodes,verbs=get;list;watch;create;update;delete
 // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get
 // +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs=get;list;watch;create;update;delete
 // +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors;prometheusrules,verbs=get;list;watch;create;update;delete

deploy/csv-templates/ocs-operator.csv.yaml.in

@@ -280,27 +280,24 @@ spec:
           - events
           - nodes
           - persistentvolumeclaims
+          - persistentvolumes
           - pods
           - secrets
           - serviceaccounts
           - services
           verbs:
-          - '*'
-        - apiGroups:
-          - ""
-          resources:
-          - namespaces
-          verbs:
+          - create
+          - delete
           - get
+          - list
+          - update
+          - watch
         - apiGroups:
           - ""
           resources:
-          - persistentvolumes
+          - namespaces
           verbs:
-          - '*'
           - get
-          - list
-          - watch
         - apiGroups:
           - k8s.cni.cncf.io
           resources:

deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml

@@ -289,27 +289,24 @@ spec:
           - events
           - nodes
           - persistentvolumeclaims
+          - persistentvolumes
           - pods
           - secrets
           - serviceaccounts
           - services
           verbs:
-          - '*'
-        - apiGroups:
-          - ""
-          resources:
-          - namespaces
-          verbs:
+          - create
+          - delete
           - get
+          - list
+          - update
+          - watch
         - apiGroups:
           - ""
           resources:
-          - persistentvolumes
+          - namespaces
           verbs:
-          - '*'
           - get
-          - list
-          - watch
         - apiGroups:
           - k8s.cni.cncf.io
           resources: