- Separated the rbac from crd generation so that unnecesary roles

are not given to nimbus-operator
5GSEC · Jul 5, 2024 · a67d273 · a67d273
1 parent 1ff7f80
commit a67d273
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 40 deletions.
diff --git a/Makefile b/Makefile
@@ -50,7 +50,8 @@ help: ## Display this help.
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=nimbus-operator crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=nimbus-operator webhook paths="./internal/..."
+	$(CONTROLLER_GEN) crd paths="./api/..." output:crd:artifacts:config=config/crd/bases
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -4,35 +4,6 @@ kind: ClusterRole
 metadata:
   name: nimbus-operator
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - namespaces
-  - serviceaccounts
-  verbs:
-  - create
-  - delete
-  - get
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - batch
-  resources:
-  - cronjobs
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - update
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -141,13 +112,3 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - clusterrolebindings
-  - clusterroles
-  verbs:
-  - create
-  - delete
-  - get
-  - update