Audit RBAC, avoid global (*) permissions #2866
Merged
Commits on Aug 28, 2023
-
Audit rbac, avoid global (*) permissions
There are some permissions which are logically not needed, and some others where we can just reduce the verb set allowed. Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
-
Avoid unnecessary "persistentvolumes" create permission
https://kubernetes.io/docs/concepts/security/rbac-good-practices/#persistent-volume-creation Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
-
Less control over cluster webhooks
Following https://kubernetes.io/docs/concepts/security/rbac-good-practices/#control-admission-webhooks We know the names of our validating/mutating webhooks upfront, so we can only allow update/delete on those. Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
-
Get rid of implicit escalate/bind verbs on operator roles
https://kubernetes.io/docs/concepts/security/rbac-good-practices/#escalate-verb Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.