Remove ResourceNames field on Linseed's ClusterRole for secrets access (

#2903)
tigera · Sep 28, 2023 · a13d43a · a13d43a
1 parent 40e0dc5
commit a13d43a
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 12 deletions.
diff --git a/pkg/render/logstorage/linseed/linseed.go b/pkg/render/logstorage/linseed/linseed.go
@@ -188,10 +188,9 @@ func (l *linseed) linseedClusterRole() *rbacv1.ClusterRole {
 		// These permissions are necessary to allow the management cluster to monitor secrets that we want to propagate
 		// through to the managed cluster for identity verification such as the Voltron Linseed public certificate
 		{
-			APIGroups:     []string{""},
-			Resources:     []string{"secrets"},
-			Verbs:         []string{"get", "list", "watch"},
-			ResourceNames: []string{fmt.Sprintf("%s/%s", l.cfg.Namespace, render.VoltronLinseedPublicCert)},
+			APIGroups: []string{""},
+			Resources: []string{"secrets"},
+			Verbs:     []string{"get", "list", "watch"},
 		},
 	}
 

diff --git a/pkg/render/logstorage/linseed/linseed_test.go b/pkg/render/logstorage/linseed/linseed_test.go
@@ -117,10 +117,9 @@ var _ = Describe("Linseed rendering tests", func() {
 			createResources, _ := component.Objects()
 			cr := rtest.GetResource(createResources, ClusterRoleName, "", rbacv1.GroupName, "v1", "ClusterRole").(*rbacv1.ClusterRole)
 			secretsRules := rbacv1.PolicyRule{
-				APIGroups:     []string{""},
-				Resources:     []string{"secrets"},
-				Verbs:         []string{"get", "list", "watch"},
-				ResourceNames: []string{fmt.Sprintf("%s/%s", cfg.Namespace, render.VoltronLinseedPublicCert)},
+				APIGroups: []string{""},
+				Resources: []string{"secrets"},
+				Verbs:     []string{"get", "list", "watch"},
 			}
 			Expect(cr.Rules).To(ContainElement(secretsRules))
 		})
@@ -456,10 +455,9 @@ func compareResources(resources []client.Object, expectedResources []resourceTes
 			Verbs:     []string{"list", "watch"},
 		},
 		{
-			APIGroups:     []string{""},
-			Resources:     []string{"secrets"},
-			Verbs:         []string{"get", "list", "watch"},
-			ResourceNames: []string{fmt.Sprintf("%s/%s", render.ElasticsearchNamespace, render.VoltronLinseedPublicCert)},
+			APIGroups: []string{""},
+			Resources: []string{"secrets"},
+			Verbs:     []string{"get", "list", "watch"},
 		},
 	}))
 	clusterRoleBinding := rtest.GetResource(resources, ClusterRoleName, "", "rbac.authorization.k8s.io", "v1", "ClusterRoleBinding").(*rbacv1.ClusterRoleBinding)