Merge pull request #48 from siddhibhor-56/eso-154

ESO-154: Review permissions granted to operator through RBAC's & Removes the unused delete and patch permissions.

Author: openshift-merge-bot[bot]

bundle/manifests/external-secrets-operator.clusterserviceversion.yaml

@@ -204,8 +204,8 @@ metadata:
     capabilities: Basic Install
     categories: Security
     console.openshift.io/disable-operand-delete: "true"
-    containerImage: ""
-    createdAt: "2025-06-24T04:29:21Z"
+    containerImage: openshift.io/external-secrets-operator:latest
+    createdAt: "2025-08-01T10:58:49Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
@@ -382,7 +382,6 @@ spec:
           - validatingwebhookconfigurations
           verbs:
           - create
-          - delete
           - get
           - list
           - patch
@@ -406,10 +405,8 @@ spec:
           - deployments
           verbs:
           - create
-          - delete
           - get
           - list
-          - patch
           - update
           - watch
         - apiGroups:
@@ -420,10 +417,8 @@ spec:
           - issuers
           verbs:
           - create
-          - delete
           - get
           - list
-          - patch
           - update
           - watch
         - apiGroups:
@@ -432,7 +427,6 @@ spec:
           - leases
           verbs:
           - create
-          - delete
           - get
           - list
           - patch
@@ -502,13 +496,10 @@ spec:
           - operator.openshift.io
           resources:
           - externalsecrets
-          - externalsecretsmanagers
           verbs:
           - create
-          - delete
           - get
           - list
-          - patch
           - update
           - watch
         - apiGroups:
@@ -522,6 +513,24 @@ spec:
           - operator.openshift.io
           resources:
           - externalsecrets/status
+          verbs:
+          - get
+          - update
+        - apiGroups:
+          - operator.openshift.io
+          resources:
+          - externalsecretsmanagers
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - operator.openshift.io
+          resources:
           - externalsecretsmanagers/status
           verbs:
           - get
@@ -648,6 +657,7 @@ spec:
                     drop:
                     - ALL
                   privileged: false
+                  readOnlyRootFilesystem: true
                   runAsNonRoot: true
                   seccompProfile:
                     type: RuntimeDefault

config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml

@@ -6,7 +6,7 @@ metadata:
     capabilities: Basic Install
     categories: Security
     console.openshift.io/disable-operand-delete: "true"
-    containerImage: ""
+    containerImage: openshift.io/external-secrets-operator:latest
     createdAt: 2023-03-03T00:00:00
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"

config/rbac/role.yaml

@@ -42,7 +42,6 @@ rules:
   - validatingwebhookconfigurations
   verbs:
   - create
-  - delete
   - get
   - list
   - patch
@@ -66,10 +65,8 @@ rules:
   - deployments
   verbs:
   - create
-  - delete
   - get
   - list
-  - patch
   - update
   - watch
 - apiGroups:
@@ -80,10 +77,8 @@ rules:
   - issuers
   verbs:
   - create
-  - delete
   - get
   - list
-  - patch
   - update
   - watch
 - apiGroups:
@@ -92,7 +87,6 @@ rules:
   - leases
   verbs:
   - create
-  - delete
   - get
   - list
   - patch
@@ -162,13 +156,10 @@ rules:
   - operator.openshift.io
   resources:
   - externalsecrets
-  - externalsecretsmanagers
   verbs:
   - create
-  - delete
   - get
   - list
-  - patch
   - update
   - watch
 - apiGroups:
@@ -182,6 +173,24 @@ rules:
   - operator.openshift.io
   resources:
   - externalsecrets/status
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - operator.openshift.io
+  resources:
+  - externalsecretsmanagers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - operator.openshift.io
+  resources:
   - externalsecretsmanagers/status
   verbs:
   - get

pkg/controller/external_secrets/controller.go

@@ -90,17 +90,17 @@ type Reconciler struct {
 	optionalResourcesList map[string]struct{}
 }
 
-// +kubebuilder:rbac:groups=operator.openshift.io,resources=externalsecrets,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=operator.openshift.io,resources=externalsecretsmanagers,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=operator.openshift.io,resources=externalsecrets/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=operator.openshift.io,resources=externalsecrets,verbs=get;list;watch;create;update
+// +kubebuilder:rbac:groups=operator.openshift.io,resources=externalsecretsmanagers,verbs=get;list;watch;create;update
+// +kubebuilder:rbac:groups=operator.openshift.io,resources=externalsecrets/status,verbs=get;update
 // +kubebuilder:rbac:groups=operator.openshift.io,resources=externalsecrets/finalizers,verbs=update
-// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch
 
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings;clusterroles;clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups="",resources=events;secrets;services;serviceaccounts,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates;clusterissuers;issuers,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=get;list;watch;create;update;patch
+// +kubebuilder:rbac:groups="",resources=events;secrets;services;serviceaccounts,verbs=get;list;watch;create;update;delete;patch
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates;clusterissuers;issuers,verbs=get;list;watch;create;update
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;create
 
 // +kubebuilder:rbac:groups="",resources=endpoints,verbs=get;list;watch;create