Proper RBAC roles for the operator service account

Author: korewaChino

charts/chisel-operator/templates/serviceaccount.yaml

@@ -21,9 +21,18 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 rules:
-  - apiGroups: ["*"]
+  - apiGroups: ["apps"]
+    resources: ["deployments", "deployments/*"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["services", "services/status", "services/finalizers"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["chisel-operator.io"]
     resources: ["*"]
     verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

deploy/clusterrole.yaml

@@ -3,6 +3,15 @@ kind: ClusterRole
 metadata:
   name: chisel-operator
 rules:
-  - apiGroups: ["*"]
+  - apiGroups: ["apps"]
+    resources: ["deployments", "deployments/*"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["services", "services/status", "services/finalizers"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["chisel-operator.io"]
     resources: ["*"]
     verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]

deploy/deployment.yaml

@@ -19,7 +19,7 @@ spec:
       automountServiceAccountToken: true
       containers:
         - name: chisel-operator
-          image: ghcr.io/fyralabs/chisel-operator:v0.3.4
+          image: ghcr.io/fyralabs/chisel-operator:v0.4.0
           env:
             - name: RUST_LOG
               value: "debug"