From 04d42b7b117a8c2cf31b17493e3c4463bd446c45 Mon Sep 17 00:00:00 2001 From: sbx Date: Sun, 5 Nov 2023 18:04:55 +0100 Subject: [PATCH 1/2] ci: limit rbac for the reconciler --- charts/tf-controller/templates/rbac.yaml | 65 +++++++++++++++++++++++- 1 file changed, 64 insertions(+), 1 deletion(-) diff --git a/charts/tf-controller/templates/rbac.yaml b/charts/tf-controller/templates/rbac.yaml index 28bca945..b49fd6d0 100644 --- a/charts/tf-controller/templates/rbac.yaml +++ b/charts/tf-controller/templates/rbac.yaml @@ -46,6 +46,69 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: tf-cluster-reconciler-role +rules: +- apiGroups: + - infra.contrib.fluxcd.io + resources: + - terraforms + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - infra.contrib.fluxcd.io + resources: + - terraforms/finalizers + verbs: + - create + - delete + - get + - patch + - update +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - jobs + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: tf-manager-role rules: @@ -167,7 +230,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: tf-cluster-reconciler-role subjects: - kind: ServiceAccount name: {{ include "tf-controller.serviceAccountName" . }} From acb925dc98e4ea8c01ea9b91dadd0f53be16735c Mon Sep 17 00:00:00 2001 From: yiannis Date: Fri, 1 Dec 2023 11:55:36 +0000 Subject: [PATCH 2/2] fix: Remove jobs permissions from ClusterRole --- charts/tf-controller/templates/rbac.yaml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/charts/tf-controller/templates/rbac.yaml b/charts/tf-controller/templates/rbac.yaml index b49fd6d0..04f17d2a 100644 --- a/charts/tf-controller/templates/rbac.yaml +++ b/charts/tf-controller/templates/rbac.yaml @@ -81,18 +81,6 @@ rules: - update - patch - delete -- apiGroups: - - "" - resources: - - jobs - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - apiGroups: - "" resources: