Merge pull request #531 from Disper/rbac_least_priviligates

Rbac least priviligates
kyma-project · Dec 3, 2024 · 0c9f028 · 0c9f028
2 parents 85841f0 + 7b79f76
commit 0c9f028
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 31 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -1,8 +1,9 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: infrastructure-manager-role
+  namespace: kcp-system
 rules:
 - apiGroups:
   - ""
@@ -31,37 +32,24 @@ rules:
   - infrastructuremanager.kyma-project.io
   resources:
   - gardenerclusters/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - infrastructuremanager.kyma-project.io
-  resources:
   - gardenerclusters/status
-  verbs:
-  - update
-- apiGroups:
-  - infrastructuremanager.kyma-project.io
-  resources:
-  - runtimes
+  - runtimes/finalizers
+  - runtimes/status
   verbs:
   - create
   - delete
   - get
   - list
   - patch
   - update
-  - watch
-- apiGroups:
-  - infrastructuremanager.kyma-project.io
-  resources:
-  - runtimes/finalizers
-  verbs:
-  - update
 - apiGroups:
   - infrastructuremanager.kyma-project.io
   resources:
-  - runtimes/status
+  - runtimes
   verbs:
+  - create
   - get
+  - list
   - patch
   - update
+  - watch
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
@@ -1,17 +1,18 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   labels:
-    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/name: rolebinding
     app.kubernetes.io/instance: infrastructure-manager-rolebinding
     app.kubernetes.io/component: rbac
     app.kubernetes.io/created-by: infrastructure-manager
     app.kubernetes.io/part-of: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
   name: infrastructure-manager-rolebinding
+  namespace: kcp-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: infrastructure-manager-role
 subjects:
 - kind: ServiceAccount

diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml
@@ -9,4 +9,4 @@ metadata:
     app.kubernetes.io/part-of: infrastructure-manager
     app.kubernetes.io/managed-by: kustomize
   name: infrastructure-manager
-  namespace: system
+  namespace: kcp-system
diff --git a/internal/controller/kubeconfig/gardener_cluster_controller.go b/internal/controller/kubeconfig/gardener_cluster_controller.go
@@ -79,10 +79,10 @@ type KubeconfigProvider interface {
 	Fetch(ctx context.Context, shootName string) (string, error)
 }
 
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=update
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=update
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters,verbs=get;list;watch;create;update;patch;delete,namespace=kcp-system
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete,namespace=kcp-system
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/finalizers,verbs=get;list;delete;create;update;patch,namespace=kcp-system
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=gardenerclusters/status,verbs=get;list;delete;create;update;patch,namespace=kcp-system
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

diff --git a/internal/controller/runtime/runtime_controller.go b/internal/controller/runtime/runtime_controller.go
@@ -45,9 +45,9 @@ type RuntimeReconciler struct {
 	RequestID     atomic.Uint64
 }
 
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=update
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes,verbs=get;list;watch;create;update;patch,namespace=kcp-system
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/status,verbs=get;list;delete;create;update;patch,namespace=kcp-system
+//+kubebuilder:rbac:groups=infrastructuremanager.kyma-project.io,resources=runtimes/finalizers,verbs=get;list;delete;create;update;patch,namespace=kcp-system
 
 func (r *RuntimeReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {
 	r.Log.Info(request.String())