From c1f0f056adbabced33a283a183c882d6e44b4adc Mon Sep 17 00:00:00 2001
From: Sebastian Sch <sebassch@gmail.com>
Date: Wed, 28 Aug 2024 15:22:30 +0300
Subject: [PATCH 1/2] security: remove not needed rbac rules from resource
 injector

Signed-off-by: Sebastian Sch <sebassch@gmail.com>
---
 bindata/manifests/webhook/002-rbac.yaml | 45 ++++++-------------------
 1 file changed, 10 insertions(+), 35 deletions(-)

diff --git a/bindata/manifests/webhook/002-rbac.yaml b/bindata/manifests/webhook/002-rbac.yaml
index 0c33e3a08..77b2d95d7 100644
--- a/bindata/manifests/webhook/002-rbac.yaml
+++ b/bindata/manifests/webhook/002-rbac.yaml
@@ -11,46 +11,21 @@ metadata:
   name: network-resources-injector
 rules:
 - apiGroups:
-  - ""
-  - k8s.cni.cncf.io
-  - extensions
-  - apps
+    - k8s.cni.cncf.io
   resources:
-  - pods
-  - network-attachment-definitions
-  - replicationcontrollers
-  - replicasets
-  - daemonsets
-  - statefulsets
-  - configmaps
+    - network-attachment-definitions
   verbs:
-  - '*'
+    - 'watch'
+    - 'list'
+    - 'get'
 - apiGroups:
-  - certificates.k8s.io
+    - ""
   resources:
-  - certificatesigningrequests
-  - certificatesigningrequests/approval
+    - configmap
   verbs:
-  - '*'
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - '*'
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
-  verbs:
-  - '*'
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - '*'
+    - 'watch'
+    - 'list'
+    - 'get'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

From 14e1bb8b28314dfb5a38f3454094fa94d9fcc8a2 Mon Sep 17 00:00:00 2001
From: Sebastian Sch <sebassch@gmail.com>
Date: Wed, 28 Aug 2024 15:32:27 +0300
Subject: [PATCH 2/2] security: remove not needed rbac rules from operator
 webhook

Signed-off-by: Sebastian Sch <sebassch@gmail.com>
---
 .../manifests/operator-webhook/002-rbac.yaml  | 41 ++++---------------
 1 file changed, 8 insertions(+), 33 deletions(-)

diff --git a/bindata/manifests/operator-webhook/002-rbac.yaml b/bindata/manifests/operator-webhook/002-rbac.yaml
index 35158ad94..7396c3ca4 100644
--- a/bindata/manifests/operator-webhook/002-rbac.yaml
+++ b/bindata/manifests/operator-webhook/002-rbac.yaml
@@ -10,48 +10,23 @@ kind: ClusterRole
 metadata:
   name: operator-webhook
 rules:
-- apiGroups: [""]
-  resources: ["nodes"]
-  verbs: ["get", "list", "watch"]
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests
-  - certificatesigningrequests/approval
-  verbs:
-  - '*'
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - '*'
 - apiGroups:
     - ""
   resources:
+    - nodes
     - configmaps
   verbs:
     - get
-    - update
+    - list
+    - watch
 - apiGroups:
-  - admissionregistration.k8s.io
+    - "sriovnetwork.openshift.io"
   resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
+    - "*"
   verbs:
-  - '*'
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - '*'
-- apiGroups:
-  - "sriovnetwork.openshift.io"
-  resources:
-  - "*"
-  verbs:
-  - "*"
+    - get
+    - list
+    - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding