Less control over cluster webhooks

Following https://kubernetes.io/docs/concepts/security/rbac-good-practices/#control-admission-webhooks We know the names of our validating/mutating webhooks upfront, so we can only allow update/delete on those. Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
kubevirt · Aug 27, 2023 · 1971de3 · 1971de3
1 parent cda6296
commit 1971de3
Showing 1 changed file with 39 additions and 1 deletion.
diff --git a/pkg/operator/resources/operator/operator.go b/pkg/operator/resources/operator/operator.go
@@ -118,7 +118,45 @@ func getClusterPolicyRules() []rbacv1.PolicyRule {
 				"mutatingwebhookconfigurations",
 			},
 			Verbs: []string{
-				"*",
+				"create",
+				"list",
+				"watch",
+			},
+		},
+		{
+			APIGroups: []string{
+				"admissionregistration.k8s.io",
+			},
+			Resources: []string{
+				"validatingwebhookconfigurations",
+			},
+			ResourceNames: []string{
+				"cdi-api-dataimportcron-validate",
+				"cdi-api-populator-validate",
+				"cdi-api-datavolume-validate",
+				"cdi-api-validate",
+				"objecttransfer-api-validate",
+			},
+			Verbs: []string{
+				"get",
+				"update",
+				"delete",
+			},
+		},
+		{
+			APIGroups: []string{
+				"admissionregistration.k8s.io",
+			},
+			Resources: []string{
+				"mutatingwebhookconfigurations",
+			},
+			ResourceNames: []string{
+				"cdi-api-datavolume-mutate",
+			},
+			Verbs: []string{
+				"get",
+				"update",
+				"delete",
 			},
 		},
 		{