issues with SA rules

Author: commjoen

helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/role.yaml

@@ -13,7 +13,7 @@ rules:
     verbs: ['get', 'list', 'create', 'delete']
   - apiGroups: [''] # "" indicates the core API group
     resources: ['pod', 'pods', 'pods/log']
-    verbs: ['create', 'get', 'list', 'delete', 'watch']
+    verbs: ['create', 'get', 'list', 'delete', 'watch', 'patch', 'update']
   - apiGroups: [''] # "" indicates the core API group
     resources: ['namespaces']
     verbs: ['get', 'create', 'list', 'delete', 'patch', 'watch', 'update']
@@ -26,6 +26,9 @@ rules:
   - apiGroups: ['']
     resources: ['serviceaccounts']
     verbs: ['create', 'get', 'list', 'delete', 'patch', 'update']
+  - apiGroups: ['']
+    resources: ['pods/exec']
+    verbs: ['create']
   - apiGroups: ['rbac.authorization.k8s.io']
     resources: ['roles']
     verbs: ['create', 'delete', 'deletecollection', 'get', 'list', 'patch', 'update', 'watch', 'admin', 'escalate']

wrongsecrets-balancer/src/kubernetes.js

@@ -1812,14 +1812,22 @@ const createRoleForWebTop = async (team) => {
         resources: ['configmaps'],
         verbs: ['get', 'list'],
       },
-       {
+      {
         apiGroups: [''],
         resources: ['pods/exec'],
         verbs: ['create'],
         resourceNames: [
           `t-${team}-secret-challenge-53*`,
         ],
       },
+      {
+        apiGroups: [''],
+        resources: ['pods'],
+        verbs: ['patch', 'update'],
+        resourceNames: [
+          `t-${team}-secret-challenge-53*`,
+        ],
+      },
       {
         apiGroups: [''],
         resources: ['pod', 'pods', 'pods/log'],