ClusterRole shouldnt use * wildcards in apiGroups, resources, or verbs

[epasham]

In what area(s)?

/area monitoring

Other classifications:
/kind good-first-issue

Describe the feature

knative-serving-core ClusterRole deployment YAML use * wildcards in apiGroups, resources, or verbs. Wildcards violate least-privilege and grant unintended broad access

Link to the YAML -> https://github.com/knative/serving/blob/main/config/core/200-roles/clusterrole.yaml

[epasham]

The below entries needs to be corrected.

• apiGroups: ["serving.knative.dev", "autoscaling.internal.knative.dev", "networking.internal.knative.dev"]
  resources: ["", "/status", "*/finalizers"]

• apiGroups: [""]
  resources: ["/scale"]
  verbs: ["patch"]

[epasham]

• apiGroups: [""]
  resources: ["/scale"]
  verbs: ["patch"]

In the above apiGroup, can we include all available api groups or just the api groups that are relevant to knative. Can someone from community please confirm

[wiz-abhi]

Hi! I'd like to work on this issue.

My plan is to replace the * wildcards in the knative-serving-core ClusterRole with explicit resources:

1. For apiGroups: ["serving.knative.dev", "autoscaling.internal.knative.dev", "networking.internal.knative.dev"], replace resources: ["", "/status", "*/finalizers"] with the explicit list of resources from each API group (derived from the CRD definitions):

   • serving.knative.dev: configurations, revisions, routes, services, domainmappings
   • autoscaling.internal.knative.dev: metrics, podautoscalers
   • networking.internal.knative.dev: certificates, ingresses, serverlessservices, clusterdomainclaims
     And their respective /status and /finalizers subresources.

2. For the apiGroups: [""] / resources: ["/scale"] rule, restrict it to apiGroups: ["apps"] and resources: ["deployments/scale"] since the Knative controller only patches the scale subresource of Deployments (as defined in ScaleTargetRef).

I'll open a PR shortly with the fix.

[wiz-abhi]

Update on my approach after review feedback in #16601:

I initially planned to restrict the */scale rule to deployments/scale, but after review I learned that PR #16540 intentionally added support for scaling any resource that exposes the /scale subresource (not just Deployments — e.g., CloneSet, AppSet, and other custom CRDs). Restricting this would regress that feature.

So my updated approach:

1. ✅ Keep apiGroups: ["*"] / resources: ["*/scale"] — required for multi-type workload scaling
2. ✅ Explicitly list all Knative CRDs and their /status and /finalizers subresources for the Knative-owned API groups

The PR (#16601) has been updated accordingly. Waiting for maintainer guidance on whether explicit RBAC for Knative CRDs is preferred over wildcard for maintenance simplicity.