From f09666dead9cd2c976dc144c9a9f3825bcbd7624 Mon Sep 17 00:00:00 2001
From: Vara <vara@tigera.io>
Date: Thu, 5 Dec 2024 15:37:09 -0800
Subject: [PATCH] Restrict tigera-operator secret access to namespace only,
 retain get/list/watch cluster-wide

---
 .../02-role-tigera-operator-secrets.yaml      | 16 ++++++++
 .../02-role-tigera-operator.yaml              |  2 +-
 ...2-rolebinding-tigera-operator-secrets.yaml | 15 ++++++++
 .../ocp/02-role-tigera-operator-secrets.yaml  | 16 ++++++++
 manifests/ocp/02-role-tigera-operator.yaml    |  2 +-
 ...2-rolebinding-tigera-operator-secrets.yaml | 15 ++++++++
 manifests/tigera-operator.yaml                | 37 ++++++++++++++++++-
 7 files changed, 100 insertions(+), 3 deletions(-)
 create mode 100644 charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator-secrets.yaml
 create mode 100644 charts/tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator-secrets.yaml
 create mode 100644 manifests/ocp/02-role-tigera-operator-secrets.yaml
 create mode 100644 manifests/ocp/02-rolebinding-tigera-operator-secrets.yaml

diff --git a/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator-secrets.yaml b/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator-secrets.yaml
new file mode 100644
index 00000000000..21b25a64c6c
--- /dev/null
+++ b/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator-secrets.yaml
@@ -0,0 +1,16 @@
+# Permissions required to manipulate operator secrets for a Calico cluster.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tigera-operator-secrets
+  labels:
+    {{- include "tigera-operator.labels" (dict "context" .) | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - update
+      - delete
diff --git a/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml b/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml
index b8482540088..2c963f1835a 100644
--- a/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml
+++ b/charts/tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml
@@ -59,7 +59,6 @@ rules:
       - endpoints
       - events
       - configmaps
-      - secrets
       - serviceaccounts
     verbs:
       - create
@@ -72,6 +71,7 @@ rules:
       - ""
     resources:
       - resourcequotas
+      - secrets
     verbs:
       - list
       - get
diff --git a/charts/tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator-secrets.yaml b/charts/tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator-secrets.yaml
new file mode 100644
index 00000000000..785b4509138
--- /dev/null
+++ b/charts/tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator-secrets.yaml
@@ -0,0 +1,15 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tigera-operator-secrets
+  namespace: {{.Release.Namespace}}
+  labels:
+    {{- include "tigera-operator.labels" (dict "context" .) | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{.Release.Namespace}}
+    namespace: {{.Release.Namespace}}
+roleRef:
+  kind: ClusterRole
+  name: tigera-operator-secrets
+  apiGroup: rbac.authorization.k8s.io
diff --git a/manifests/ocp/02-role-tigera-operator-secrets.yaml b/manifests/ocp/02-role-tigera-operator-secrets.yaml
new file mode 100644
index 00000000000..57913347c1f
--- /dev/null
+++ b/manifests/ocp/02-role-tigera-operator-secrets.yaml
@@ -0,0 +1,16 @@
+# Permissions required to manipulate operator secrets for a Calico cluster.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tigera-operator-secrets
+  labels:
+    k8s-app: tigera-operator
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - update
+      - delete
diff --git a/manifests/ocp/02-role-tigera-operator.yaml b/manifests/ocp/02-role-tigera-operator.yaml
index 99b46a6ccbd..044253fb50c 100644
--- a/manifests/ocp/02-role-tigera-operator.yaml
+++ b/manifests/ocp/02-role-tigera-operator.yaml
@@ -59,7 +59,6 @@ rules:
       - endpoints
       - events
       - configmaps
-      - secrets
       - serviceaccounts
     verbs:
       - create
@@ -72,6 +71,7 @@ rules:
       - ""
     resources:
       - resourcequotas
+      - secrets
     verbs:
       - list
       - get
diff --git a/manifests/ocp/02-rolebinding-tigera-operator-secrets.yaml b/manifests/ocp/02-rolebinding-tigera-operator-secrets.yaml
new file mode 100644
index 00000000000..693a694ec9f
--- /dev/null
+++ b/manifests/ocp/02-rolebinding-tigera-operator-secrets.yaml
@@ -0,0 +1,15 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tigera-operator-secrets
+  namespace: tigera-operator
+  labels:
+    k8s-app: tigera-operator
+subjects:
+  - kind: ServiceAccount
+    name: tigera-operator
+    namespace: tigera-operator
+roleRef:
+  kind: ClusterRole
+  name: tigera-operator-secrets
+  apiGroup: rbac.authorization.k8s.io
diff --git a/manifests/tigera-operator.yaml b/manifests/tigera-operator.yaml
index 102312b135b..a20584b1ddb 100644
--- a/manifests/tigera-operator.yaml
+++ b/manifests/tigera-operator.yaml
@@ -17,6 +17,24 @@ metadata:
 imagePullSecrets:
   []
 ---
+# Source: tigera-operator/templates/tigera-operator/02-role-tigera-operator-secrets.yaml
+# Permissions required to manipulate operator secrets for a Calico cluster.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tigera-operator-secrets
+  labels:
+    k8s-app: tigera-operator
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - update
+      - delete
+---
 # Source: tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml
 # Permissions required when running the operator for a Calico cluster.
 apiVersion: rbac.authorization.k8s.io/v1
@@ -79,7 +97,6 @@ rules:
       - endpoints
       - events
       - configmaps
-      - secrets
       - serviceaccounts
     verbs:
       - create
@@ -92,6 +109,7 @@ rules:
       - ""
     resources:
       - resourcequotas
+      - secrets
     verbs:
       - list
       - get
@@ -386,6 +404,23 @@ roleRef:
   name: tigera-operator
   apiGroup: rbac.authorization.k8s.io
 ---
+# Source: tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator-secrets.yaml
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tigera-operator-secrets
+  namespace: tigera-operator
+  labels:
+    k8s-app: tigera-operator
+subjects:
+  - kind: ServiceAccount
+    name: tigera-operator
+    namespace: tigera-operator
+roleRef:
+  kind: ClusterRole
+  name: tigera-operator-secrets
+  apiGroup: rbac.authorization.k8s.io
+---
 # Source: tigera-operator/templates/tigera-operator/02-tigera-operator.yaml
 apiVersion: apps/v1
 kind: Deployment