Skip to content

Commit a45c049

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #964 from flavianmissi/OCPBUGS-11624
OCPBUGS-11624: manifests/02-rbac.yaml: stop using wild cards
2 parents 3248ba0 + c0de23f commit a45c049

File tree

2 files changed

+176
-28
lines changed

2 files changed

+176
-28
lines changed

manifests/02-rbac.yaml

Lines changed: 171 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -17,15 +17,25 @@ rules:
1717
- "imagepruners"
1818
- "imagepruners/status"
1919
verbs:
20-
- "*"
20+
- create
21+
- delete
22+
- get
23+
- list
24+
- patch
25+
- update
26+
- watch
2127
- apiGroups:
2228
- config.openshift.io
2329
resources:
24-
- "clusteroperators"
2530
- "images"
2631
- "images/status"
2732
verbs:
28-
- "*"
33+
- create
34+
- get
35+
- list
36+
- patch
37+
- update
38+
- watch
2939
- apiGroups:
3040
- config.openshift.io
3141
resources:
@@ -34,32 +44,43 @@ rules:
3444
- get
3545
- list
3646
- watch
47+
- apiGroups:
48+
- ""
49+
resources:
50+
- namespaces
51+
verbs:
52+
- get
3753
- apiGroups:
3854
- ""
3955
resources:
4056
- configmaps
41-
- endpoints
4257
- events
43-
- namespaces
4458
- persistentvolumeclaims
4559
- pods
4660
- secrets
4761
- services
48-
verbs:
49-
- "*"
50-
- apiGroups:
51-
- ""
52-
resources:
5362
- serviceaccounts
5463
verbs:
55-
- "*"
64+
- create
65+
- delete
66+
- get
67+
- list
68+
- patch
69+
- update
70+
- watch
5671
- apiGroups:
5772
- rbac.authorization.k8s.io
5873
resources:
5974
- clusterroles
6075
- clusterrolebindings
6176
verbs:
62-
- "*"
77+
- create
78+
- delete
79+
- get
80+
- list
81+
- patch
82+
- update
83+
- watch
6384
- apiGroups:
6485
- ""
6586
resources:
@@ -68,19 +89,19 @@ rules:
6889
- nodes
6990
verbs:
7091
- list
71-
- apiGroups:
72-
- image.openshift.io
73-
resources:
74-
- "*"
75-
verbs:
76-
- "*"
7792
- apiGroups:
7893
- route.openshift.io
7994
resources:
8095
- routes
8196
- routes/custom-host
8297
verbs:
83-
- "*"
98+
- create
99+
- delete
100+
- get
101+
- list
102+
- patch
103+
- update
104+
- watch
84105
- apiGroups:
85106
- config.openshift.io
86107
resources:
@@ -89,7 +110,10 @@ rules:
89110
verbs:
90111
- create
91112
- get
113+
- list
114+
- watch
92115
- update
116+
- delete
93117
- apiGroups:
94118
- config.openshift.io
95119
resources:
@@ -98,6 +122,106 @@ rules:
98122
- list
99123
- get
100124
- watch
125+
# permissions required to grant image-registry permissions
126+
- apiGroups:
127+
- "batch"
128+
resources:
129+
- cronjobs
130+
- jobs
131+
verbs:
132+
- get
133+
- list
134+
- apiGroups:
135+
- "apps"
136+
resources:
137+
- daemonsets
138+
- deployments
139+
- replicasets
140+
- statefulsets
141+
verbs:
142+
- get
143+
- list
144+
- apiGroups:
145+
- ""
146+
resources:
147+
- replicationcontrollers
148+
verbs:
149+
- get
150+
- list
151+
- apiGroups:
152+
- "apps.openshift.io"
153+
resources:
154+
- deploymentconfigs
155+
verbs:
156+
- get
157+
- list
158+
- apiGroups:
159+
- "build.openshift.io"
160+
resources:
161+
- buildconfigs
162+
- builds
163+
verbs:
164+
- get
165+
- list
166+
- apiGroups:
167+
- "image.openshift.io"
168+
resources:
169+
- images
170+
verbs:
171+
- get
172+
- update
173+
- create
174+
- delete
175+
- list
176+
- watch
177+
- apiGroups:
178+
- "image.openshift.io"
179+
resources:
180+
- imagestreams
181+
verbs:
182+
- get
183+
- list
184+
- watch
185+
- update
186+
- apiGroups:
187+
- "image.openshift.io"
188+
resources:
189+
- imagestreams/status
190+
verbs:
191+
- update
192+
- apiGroups:
193+
- "image.openshift.io"
194+
resources:
195+
- imagestreamimages
196+
- imagestreams/layers
197+
- imagestreams/secrets
198+
verbs:
199+
- get
200+
- apiGroups:
201+
- "image.openshift.io"
202+
resources:
203+
- imagestreammappings
204+
verbs:
205+
- create
206+
- apiGroups:
207+
- "image.openshift.io"
208+
resources:
209+
- imagestreamtags
210+
verbs:
211+
- delete
212+
- apiGroups:
213+
- config.openshift.io
214+
resources:
215+
- imagedigestmirrorsets
216+
- imagetagmirrorsets
217+
verbs:
218+
- list
219+
- apiGroups:
220+
- "operator.openshift.io"
221+
resources:
222+
- imagecontentsourcepolicies
223+
verbs:
224+
- list
101225
---
102226
kind: Role
103227
apiVersion: rbac.authorization.k8s.io/v1
@@ -118,26 +242,50 @@ rules:
118242
- replicasets
119243
- statefulsets
120244
verbs:
121-
- "*"
245+
- create
246+
- delete
247+
- get
248+
- list
249+
- patch
250+
- update
251+
- watch
122252
- apiGroups:
123253
- batch
124254
resources:
125255
- cronjobs
126256
- jobs
127257
verbs:
128-
- "*"
258+
- create
259+
- delete
260+
- get
261+
- list
262+
- patch
263+
- update
264+
- watch
129265
- apiGroups:
130266
- coordination.k8s.io
131267
resources:
132268
- leases
133269
verbs:
134-
- "*"
270+
- create
271+
- delete
272+
- get
273+
- list
274+
- patch
275+
- update
276+
- watch
135277
- apiGroups:
136278
- policy
137279
resources:
138280
- poddisruptionbudgets
139281
verbs:
140-
- "*"
282+
- create
283+
- delete
284+
- get
285+
- list
286+
- patch
287+
- update
288+
- watch
141289
---
142290
kind: ClusterRoleBinding
143291
apiVersion: rbac.authorization.k8s.io/v1

pkg/resource/prunerclusterrole.go

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -60,15 +60,15 @@ func (gcr *generatorPrunerClusterRole) expected() (runtime.Object, error) {
6060
},
6161
{
6262
Verbs: []string{"get", "list"},
63-
APIGroups: []string{"build.openshift.io", ""},
63+
APIGroups: []string{"build.openshift.io"},
6464
Resources: []string{
6565
"buildconfigs",
6666
"builds",
6767
},
6868
},
6969
{
7070
Verbs: []string{"get", "list"},
71-
APIGroups: []string{"apps.openshift.io", ""},
71+
APIGroups: []string{"apps.openshift.io"},
7272
Resources: []string{
7373
"deploymentconfigs",
7474
},
@@ -93,22 +93,22 @@ func (gcr *generatorPrunerClusterRole) expected() (runtime.Object, error) {
9393
},
9494
{
9595
Verbs: []string{"delete"},
96-
APIGroups: []string{"image.openshift.io", ""},
96+
APIGroups: []string{"image.openshift.io"},
9797
Resources: []string{
9898
"images",
9999
},
100100
},
101101
{
102102
Verbs: []string{"get", "list", "watch"},
103-
APIGroups: []string{"image.openshift.io", ""},
103+
APIGroups: []string{"image.openshift.io"},
104104
Resources: []string{
105105
"images",
106106
"imagestreams",
107107
},
108108
},
109109
{
110110
Verbs: []string{"update"},
111-
APIGroups: []string{"image.openshift.io", ""},
111+
APIGroups: []string{"image.openshift.io"},
112112
Resources: []string{
113113
"imagestreams/status",
114114
},

0 commit comments

Comments
 (0)