From 8fe34fcc046c476b6264fe6d94c4ca333706d9ae Mon Sep 17 00:00:00 2001 From: Oded Viner Date: Thu, 10 Oct 2024 13:14:02 +0300 Subject: [PATCH] Reducing the core group privileges Signed-off-by: Oded Viner --- config/rbac/role.yaml | 17 +++++++---------- controllers/storagecluster/reconcile.go | 2 +- deploy/csv-templates/ocs-operator.csv.yaml.in | 17 +++++++---------- .../ocs-operator.clusterserviceversion.yaml | 17 +++++++---------- 4 files changed, 22 insertions(+), 31 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 96b5519fbc..05ecc8cb4c 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -109,27 +109,24 @@ rules: - events - nodes - persistentvolumeclaims + - persistentvolumes - pods - secrets - serviceaccounts - services verbs: - - '*' -- apiGroups: - - "" - resources: - - namespaces - verbs: + - create + - delete - get + - list + - update + - watch - apiGroups: - "" resources: - - persistentvolumes + - namespaces verbs: - - '*' - get - - list - - watch - apiGroups: - k8s.cni.cncf.io resources: diff --git a/controllers/storagecluster/reconcile.go b/controllers/storagecluster/reconcile.go index bf888a92d0..272f5b7087 100644 --- a/controllers/storagecluster/reconcile.go +++ b/controllers/storagecluster/reconcile.go @@ -114,7 +114,7 @@ var validTopologyLabelKeys = []string{ // +kubebuilder:rbac:groups=ceph.rook.io,resources=cephclusters;cephblockpools;cephfilesystems;cephnfses;cephobjectstores;cephobjectstoreusers;cephrbdmirrors;cephblockpoolradosnamespaces,verbs=get;list;watch;create;update;delete // +kubebuilder:rbac:groups=noobaa.io,resources=noobaas,verbs=get;list;watch;create;update;delete // +kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses,verbs=watch;create;delete;get;list -// +kubebuilder:rbac:groups=core,resources=pods;services;serviceaccounts;endpoints;persistentvolumes;persistentvolumeclaims;events;configmaps;secrets;nodes,verbs=* +// +kubebuilder:rbac:groups=core,resources=pods;services;serviceaccounts;endpoints;persistentvolumes;persistentvolumeclaims;events;configmaps;secrets;nodes,verbs=get;list;watch;create;update;delete // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get // +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs=get;list;watch;create;update;delete // +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors;prometheusrules,verbs=get;list;watch;create;update;delete diff --git a/deploy/csv-templates/ocs-operator.csv.yaml.in b/deploy/csv-templates/ocs-operator.csv.yaml.in index a230eb4102..cc84dcb00c 100644 --- a/deploy/csv-templates/ocs-operator.csv.yaml.in +++ b/deploy/csv-templates/ocs-operator.csv.yaml.in @@ -280,27 +280,24 @@ spec: - events - nodes - persistentvolumeclaims + - persistentvolumes - pods - secrets - serviceaccounts - services verbs: - - '*' - - apiGroups: - - "" - resources: - - namespaces - verbs: + - create + - delete - get + - list + - update + - watch - apiGroups: - "" resources: - - persistentvolumes + - namespaces verbs: - - '*' - get - - list - - watch - apiGroups: - k8s.cni.cncf.io resources: diff --git a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml index ecb465f9b9..296674280b 100644 --- a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml +++ b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml @@ -289,27 +289,24 @@ spec: - events - nodes - persistentvolumeclaims + - persistentvolumes - pods - secrets - serviceaccounts - services verbs: - - '*' - - apiGroups: - - "" - resources: - - namespaces - verbs: + - create + - delete - get + - list + - update + - watch - apiGroups: - "" resources: - - persistentvolumes + - namespaces verbs: - - '*' - get - - list - - watch - apiGroups: - k8s.cni.cncf.io resources: