Audit rbac, avoid global (*) permissions

There are some permissions which are logically not needed, and some others where we can just reduce the verb set allowed. Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
kubevirt · Aug 24, 2023 · 376f0f0 · 376f0f0
1 parent cc8dbc3
commit 376f0f0
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 54 deletions.
diff --git a/pkg/operator/resources/cluster/apiserver.go b/pkg/operator/resources/cluster/apiserver.go
@@ -136,7 +136,6 @@ func getAPIServerClusterPolicyRules() []rbacv1.PolicyRule {
 				"datasources",
 			},
 			Verbs: []string{
-				"list",
 				"get",
 			},
 		},
@@ -159,7 +158,7 @@ func getAPIServerClusterPolicyRules() []rbacv1.PolicyRule {
 				"cdis/finalizers",
 			},
 			Verbs: []string{
-				"*",
+				"update",
 			},
 		},
 	}

diff --git a/pkg/operator/resources/cluster/controller.go b/pkg/operator/resources/cluster/controller.go
@@ -155,10 +155,16 @@ func getControllerClusterPolicyRules() []rbacv1.PolicyRule {
 				"snapshot.storage.k8s.io",
 			},
 			Resources: []string{
-				"*",
+				"volumesnapshots",
+				"volumesnapshotclasses",
+				"volumesnapshotcontents",
 			},
 			Verbs: []string{
-				"*",
+				"get",
+				"list",
+				"watch",
+				"create",
+				"delete",
 			},
 		},
 		{
@@ -211,30 +217,6 @@ func getControllerClusterPolicyRules() []rbacv1.PolicyRule {
 				"create",
 			},
 		},
-		{
-			APIGroups: []string{
-				"batch",
-			},
-			Resources: []string{
-				"cronjobs",
-			},
-			Verbs: []string{
-				"list",
-				"watch",
-			},
-		},
-		{
-			APIGroups: []string{
-				"batch",
-			},
-			Resources: []string{
-				"jobs",
-			},
-			Verbs: []string{
-				"list",
-				"watch",
-			},
-		},
 		{
 			APIGroups: []string{
 				"kubevirt.io",

diff --git a/pkg/operator/resources/namespaced/apiserver.go b/pkg/operator/resources/namespaced/apiserver.go
@@ -70,7 +70,10 @@ func createAPIServerRole() *rbacv1.Role {
 				"configmaps",
 			},
 			Verbs: []string{
-				"*",
+				"get",
+				"list",
+				"watch",
+				"create",
 			},
 		},
 	}

diff --git a/pkg/operator/resources/namespaced/controller.go b/pkg/operator/resources/namespaced/controller.go
@@ -70,7 +70,12 @@ func createControllerRole() *rbacv1.Role {
 				"configmaps",
 			},
 			Verbs: []string{
-				"*",
+				"get",
+				"list",
+				"watch",
+				"create",
+				"update",
+				"delete",
 			},
 		},
 		{
@@ -113,6 +118,8 @@ func createControllerRole() *rbacv1.Role {
 			Verbs: []string{
 				"create",
 				"delete",
+				"list",
+				"watch",
 			},
 		},
 		{
@@ -123,7 +130,9 @@ func createControllerRole() *rbacv1.Role {
 				"leases",
 			},
 			Verbs: []string{
-				"*",
+				"get",
+				"create",
+				"update",
 			},
 		},
 		{

diff --git a/pkg/operator/resources/operator/operator.go b/pkg/operator/resources/operator/operator.go
@@ -54,7 +54,12 @@ func getClusterPolicyRules() []rbacv1.PolicyRule {
 				"clusterroles",
 			},
 			Verbs: []string{
-				"*",
+				"get",
+				"list",
+				"watch",
+				"create",
+				"update",
+				"delete",
 			},
 		},
 		{
@@ -74,31 +79,21 @@ func getClusterPolicyRules() []rbacv1.PolicyRule {
 		},
 		{
 			APIGroups: []string{
-				"",
+				"apiextensions.k8s.io",
 			},
 			Resources: []string{
-				"pods",
-				"services",
+				"customresourcedefinitions",
+				"customresourcedefinitions/status",
 			},
 			Verbs: []string{
 				"get",
 				"list",
 				"watch",
+				"create",
+				"update",
 				"delete",
 			},
 		},
-		{
-			APIGroups: []string{
-				"apiextensions.k8s.io",
-			},
-			Resources: []string{
-				"customresourcedefinitions",
-				"customresourcedefinitions/status",
-			},
-			Verbs: []string{
-				"*",
-			},
-		},
 		{
 			APIGroups: []string{
 				"cdi.kubevirt.io",
@@ -120,7 +115,12 @@ func getClusterPolicyRules() []rbacv1.PolicyRule {
 				"mutatingwebhookconfigurations",
 			},
 			Verbs: []string{
-				"*",
+				"get",
+				"list",
+				"watch",
+				"create",
+				"update",
+				"delete",
 			},
 		},
 		{
@@ -131,7 +131,12 @@ func getClusterPolicyRules() []rbacv1.PolicyRule {
 				"apiservices",
 			},
 			Verbs: []string{
-				"*",
+				"get",
+				"list",
+				"watch",
+				"create",
+				"update",
+				"delete",
 			},
 		},
 	}
@@ -165,7 +170,12 @@ func getNamespacedPolicyRules() []rbacv1.PolicyRule {
 				"roles",
 			},
 			Verbs: []string{
-				"*",
+				"get",
+				"list",
+				"watch",
+				"create",
+				"update",
+				"delete",
 			},
 		},
 		{
@@ -180,7 +190,13 @@ func getNamespacedPolicyRules() []rbacv1.PolicyRule {
 				"services",
 			},
 			Verbs: []string{
-				"*",
+				"get",
+				"list",
+				"watch",
+				"create",
+				"update",
+				"patch",
+				"delete",
 			},
 		},
 		{
@@ -192,7 +208,12 @@ func getNamespacedPolicyRules() []rbacv1.PolicyRule {
 				"deployments/finalizers",
 			},
 			Verbs: []string{
-				"*",
+				"get",
+				"list",
+				"watch",
+				"create",
+				"update",
+				"delete",
 			},
 		},
 		{
@@ -204,7 +225,11 @@ func getNamespacedPolicyRules() []rbacv1.PolicyRule {
 				"routes/custom-host",
 			},
 			Verbs: []string{
-				"*",
+				"get",
+				"list",
+				"watch",
+				"create",
+				"update",
 			},
 		},
 		{
@@ -246,7 +271,9 @@ func getNamespacedPolicyRules() []rbacv1.PolicyRule {
 				"leases",
 			},
 			Verbs: []string{
-				"*",
+				"get",
+				"create",
+				"update",
 			},
 		},
 	}