From 14e1bb8b28314dfb5a38f3454094fa94d9fcc8a2 Mon Sep 17 00:00:00 2001
From: Sebastian Sch <sebassch@gmail.com>
Date: Wed, 28 Aug 2024 15:32:27 +0300
Subject: [PATCH] security: remove not needed rbac rules from operator webhook

Signed-off-by: Sebastian Sch <sebassch@gmail.com>
---
 .../manifests/operator-webhook/002-rbac.yaml  | 41 ++++---------------
 1 file changed, 8 insertions(+), 33 deletions(-)

diff --git a/bindata/manifests/operator-webhook/002-rbac.yaml b/bindata/manifests/operator-webhook/002-rbac.yaml
index 35158ad94..7396c3ca4 100644
--- a/bindata/manifests/operator-webhook/002-rbac.yaml
+++ b/bindata/manifests/operator-webhook/002-rbac.yaml
@@ -10,48 +10,23 @@ kind: ClusterRole
 metadata:
   name: operator-webhook
 rules:
-- apiGroups: [""]
-  resources: ["nodes"]
-  verbs: ["get", "list", "watch"]
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests
-  - certificatesigningrequests/approval
-  verbs:
-  - '*'
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - '*'
 - apiGroups:
     - ""
   resources:
+    - nodes
     - configmaps
   verbs:
     - get
-    - update
+    - list
+    - watch
 - apiGroups:
-  - admissionregistration.k8s.io
+    - "sriovnetwork.openshift.io"
   resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
+    - "*"
   verbs:
-  - '*'
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - '*'
-- apiGroups:
-  - "sriovnetwork.openshift.io"
-  resources:
-  - "*"
-  verbs:
-  - "*"
+    - get
+    - list
+    - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding