Merge pull request #768 from SchSeba/reduce_rbac_resource_injector

Security: Reduce rbac from webhooks
k8snetworkplumbingwg · Sep 3, 2024 · c5b82f3 · c5b82f3
2 parents 0a2fc71 + 14e1bb8
commit c5b82f3
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 68 deletions.
diff --git a/bindata/manifests/operator-webhook/002-rbac.yaml b/bindata/manifests/operator-webhook/002-rbac.yaml
@@ -10,48 +10,23 @@ kind: ClusterRole
 metadata:
   name: operator-webhook
 rules:
-- apiGroups: [""]
-  resources: ["nodes"]
-  verbs: ["get", "list", "watch"]
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests
-  - certificatesigningrequests/approval
-  verbs:
-  - '*'
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - '*'
 - apiGroups:
     - ""
   resources:
+    - nodes
     - configmaps
   verbs:
     - get
-    - update
+    - list
+    - watch
 - apiGroups:
-  - admissionregistration.k8s.io
+    - "sriovnetwork.openshift.io"
   resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
+    - "*"
   verbs:
-  - '*'
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - '*'
-- apiGroups:
-  - "sriovnetwork.openshift.io"
-  resources:
-  - "*"
-  verbs:
-  - "*"
+    - get
+    - list
+    - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/bindata/manifests/webhook/002-rbac.yaml b/bindata/manifests/webhook/002-rbac.yaml
@@ -11,46 +11,21 @@ metadata:
   name: network-resources-injector
 rules:
 - apiGroups:
-  - ""
-  - k8s.cni.cncf.io
-  - extensions
-  - apps
+    - k8s.cni.cncf.io
   resources:
-  - pods
-  - network-attachment-definitions
-  - replicationcontrollers
-  - replicasets
-  - daemonsets
-  - statefulsets
-  - configmaps
+    - network-attachment-definitions
   verbs:
-  - '*'
+    - 'watch'
+    - 'list'
+    - 'get'
 - apiGroups:
-  - certificates.k8s.io
+    - ""
   resources:
-  - certificatesigningrequests
-  - certificatesigningrequests/approval
+    - configmap
   verbs:
-  - '*'
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - '*'
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
-  verbs:
-  - '*'
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - '*'
+    - 'watch'
+    - 'list'
+    - 'get'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding