Merge pull request #8537 from zalando-incubator/drop-secret-read

mikkeloscar · web-flow · commit f94d6df648a7 · 2024-11-26T11:26:21.000+01:00
[RBAC] drop secret read permission from poweruser ClusterRole
diff --git a/cluster/manifests/roles/collaborator-roles.yaml b/cluster/manifests/roles/collaborator-roles.yaml
@@ -14,6 +14,16 @@ rules:
   - update
   - patch
   - delete
+{{ if eq .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+{{ end }}
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/cluster/manifests/roles/poweruser-role.yaml b/cluster/manifests/roles/poweruser-role.yaml
@@ -58,6 +58,7 @@ rules:
   - services/proxy
   verbs:
   - get
+{{ if ne .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
 - apiGroups:
   - ''
   resources:
@@ -71,6 +72,7 @@ rules:
   - patch
   - update
   - watch
+{{ end }}
 - apiGroups:
   - ''
   - extensions
