security: remove not needed rbac rules from operator webhook

Signed-off-by: Sebastian Sch <sebassch@gmail.com>
k8snetworkplumbingwg · Aug 28, 2024 · 14e1bb8 · 14e1bb8
1 parent c1f0f05
commit 14e1bb8
Showing 1 changed file with 8 additions and 33 deletions.
diff --git a/bindata/manifests/operator-webhook/002-rbac.yaml b/bindata/manifests/operator-webhook/002-rbac.yaml
@@ -10,48 +10,23 @@ kind: ClusterRole
 metadata:
   name: operator-webhook
 rules:
-- apiGroups: [""]
-  resources: ["nodes"]
-  verbs: ["get", "list", "watch"]
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests
-  - certificatesigningrequests/approval
-  verbs:
-  - '*'
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - '*'
 - apiGroups:
     - ""
   resources:
+    - nodes
     - configmaps
   verbs:
     - get
-    - update
+    - list
+    - watch
 - apiGroups:
-  - admissionregistration.k8s.io
+    - "sriovnetwork.openshift.io"
   resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
+    - "*"
   verbs:
-  - '*'
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - '*'
-- apiGroups:
-  - "sriovnetwork.openshift.io"
-  resources:
-  - "*"
-  verbs:
-  - "*"
+    - get
+    - list
+    - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding