From 6255f20f5a18b6d22cbbf648e50b02e319dcfb3b Mon Sep 17 00:00:00 2001 From: YuChen Date: Wed, 8 Oct 2025 13:11:37 -0700 Subject: [PATCH 1/2] remove unnecessary permission for helm Signed-off-by: YuChen --- .../templates/01-cluster-rbac.yaml | 4 ---- helm/templates/00-rbac.yaml | 17 ++++++++--------- 2 files changed, 8 insertions(+), 13 deletions(-) diff --git a/helm-cluster-scoped/templates/01-cluster-rbac.yaml b/helm-cluster-scoped/templates/01-cluster-rbac.yaml index 1c0990f..6004fb7 100644 --- a/helm-cluster-scoped/templates/01-cluster-rbac.yaml +++ b/helm-cluster-scoped/templates/01-cluster-rbac.yaml @@ -16,11 +16,8 @@ metadata: {{- end}} rules: - verbs: - - create - - delete - get - list - - patch - update - watch apiGroups: @@ -30,7 +27,6 @@ rules: - validatingwebhookconfigurations - verbs: - get - - list apiGroups: - '' resources: diff --git a/helm/templates/00-rbac.yaml b/helm/templates/00-rbac.yaml index 9453f6b..ed42e13 100644 --- a/helm/templates/00-rbac.yaml +++ b/helm/templates/00-rbac.yaml @@ -25,7 +25,6 @@ rules: - delete - get - list - - patch - update - watch - deletecollection @@ -36,22 +35,27 @@ rules: - roles - verbs: - create - - delete - get - list - - patch - update - watch apiGroups: - '' resources: - configmaps + - verbs: + - delete + - get + - list + - watch + apiGroups: + - '' + resources: - pods - verbs: - get - list - patch - - update - watch apiGroups: - operators.coreos.com @@ -70,14 +74,10 @@ rules: - namespacescopes/status - namespacescopes/finalizers - verbs: - - delete - get - - list - patch - update - watch - - deletecollection - - create apiGroups: - apps resources: @@ -86,7 +86,6 @@ rules: - statefulsets - verbs: - get - - list apiGroups: - '' resources: From 5d85d29dda498425525a33d5093ae079cc946466 Mon Sep 17 00:00:00 2001 From: YuChen Date: Wed, 8 Oct 2025 13:12:53 -0700 Subject: [PATCH 2/2] reduce permissions Signed-off-by: YuChen --- ...-scope-operator.clusterserviceversion.yaml | 23 +++---- config/rbac/role.yaml | 21 +++--- deploy/role.yaml | 65 +++++++++++++++++-- 3 files changed, 78 insertions(+), 31 deletions(-) diff --git a/bundle/manifests/ibm-namespace-scope-operator.clusterserviceversion.yaml b/bundle/manifests/ibm-namespace-scope-operator.clusterserviceversion.yaml index d0be5be..7f5942c 100644 --- a/bundle/manifests/ibm-namespace-scope-operator.clusterserviceversion.yaml +++ b/bundle/manifests/ibm-namespace-scope-operator.clusterserviceversion.yaml @@ -68,11 +68,8 @@ spec: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - - create - - delete - get - list - - patch - update - watch - apiGroups: @@ -81,7 +78,6 @@ spec: - namespaces verbs: - get - - list serviceAccountName: ibm-namespace-scope-operator deployments: - label: @@ -166,7 +162,6 @@ spec: - delete - get - list - - patch - update - watch - deletecollection @@ -174,15 +169,21 @@ spec: - "" resources: - configmaps - - pods verbs: - create - - delete - get - list - - patch - update - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - delete + - get + - list + - watch - apiGroups: - operators.coreos.com resources: @@ -191,7 +192,6 @@ spec: - get - list - patch - - update - watch - apiGroups: - operator.ibm.com @@ -212,21 +212,16 @@ spec: - daemonsets - statefulsets verbs: - - delete - get - - list - patch - update - watch - - deletecollection - - create - apiGroups: - "" resources: - serviceaccounts verbs: - get - - list serviceAccountName: ibm-namespace-scope-operator strategy: deployment installModes: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index cf80196..578cd2d 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -8,7 +8,6 @@ rules: - delete - get - list - - patch - update - watch - deletecollection @@ -19,22 +18,27 @@ rules: - roles - verbs: - create - - delete - get - list - - patch - update - watch apiGroups: - '' resources: - configmaps + - verbs: + - delete + - get + - list + - watch + apiGroups: + - '' + resources: - pods - verbs: - get - list - patch - - update - watch apiGroups: - operators.coreos.com @@ -53,14 +57,10 @@ rules: - namespacescopes/status - namespacescopes/finalizers - verbs: - - delete - get - - list - patch - update - watch - - deletecollection - - create apiGroups: - apps resources: @@ -69,7 +69,6 @@ rules: - statefulsets - verbs: - get - - list apiGroups: - '' resources: @@ -82,11 +81,8 @@ metadata: rules: # manage mutation webhook configuration - verbs: - - create - - delete - get - list - - patch - update - watch apiGroups: @@ -96,7 +92,6 @@ rules: - validatingwebhookconfigurations - verbs: - get - - list apiGroups: - '' resources: diff --git a/deploy/role.yaml b/deploy/role.yaml index be3ef76..52a773f 100644 --- a/deploy/role.yaml +++ b/deploy/role.yaml @@ -2,18 +2,75 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - creationTimestamp: null name: ibm-namespace-scope-operator rules: - apiGroups: - - "*" + - rbac.authorization.k8s.io resources: - - "*" + - rolebindings + - roles verbs: - create - delete - get - list + - update + - watch + - deletecollection +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - delete + - get + - list + - watch +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + verbs: + - get + - list + - patch + - watch +- apiGroups: + - operator.ibm.com + resources: + - namespacescopes + - namespacescopes/status + - namespacescopes/finalizers + verbs: + - get + - list - patch - update - - watch \ No newline at end of file + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - statefulsets + verbs: + - get + - patch + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get \ No newline at end of file