Skip to content

Commit

Permalink
Reduce RBAC permissions requested for operator/webhook (#3702) (#3742)
Browse files Browse the repository at this point in the history
  • Loading branch information
@0sewa0
0sewa0 authored Sep 9, 2024
1 parent 1d8acc8 commit e14252e
Show file tree
Hide file tree
Showing 9 changed files with 22 additions and 155 deletions.
17 changes: 0 additions & 17 deletions config/helm/chart/default/templates/Common/operator/clusterrole-operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,28 +48,11 @@ rules:
resourceNames:
- dynatrace-dynakube-config
- dynatrace-metadata-enrichment-endpoint
- dynatrace-data-ingest-endpoint
- dynatrace-internal-proxy
verbs:
- get
- update
- delete
- list
- apiGroups:
- ""
resources:
- services
resourceNames:
- kubernetes
verbs:
- get
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- admissionregistration.k8s.io
resources:
Expand Down
17 changes: 2 additions & 15 deletions config/helm/chart/default/templates/Common/operator/role-operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ rules:
- edgeconnects/status
verbs:
- update

- apiGroups:
- apps
resources:
Expand Down Expand Up @@ -80,7 +79,6 @@ rules:
- deployments/finalizers
verbs:
- update

- apiGroups:
- ""
resources:
Expand All @@ -100,8 +98,6 @@ rules:
- get
- list
- watch
- delete
- create
- apiGroups:
- ""
resources:
Expand All @@ -118,8 +114,9 @@ rules:
resources:
- events
verbs:
- list
- create
- get
- list
- apiGroups:
- ""
resources:
Expand All @@ -137,15 +134,6 @@ rules:
- pods/log
verbs:
- get

- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create

- apiGroups:
- networking.istio.io
resources:
Expand All @@ -157,7 +145,6 @@ rules:
- create
- update
- delete

- apiGroups:
- coordination.k8s.io
resources:
Expand Down
7 changes: 0 additions & 7 deletions config/helm/chart/default/templates/Common/webhook/clusterrole-webhook.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,6 @@ rules:
- list
- watch
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
Expand Down
27 changes: 5 additions & 22 deletions config/helm/chart/default/templates/Common/webhook/role-webhook.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,19 +22,16 @@ rules:
- apiGroups:
- ""
resources:
- services
- configmaps
- secrets
- events
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- ""
resources:
- secrets
- pods
- configmaps
verbs:
- get
- list
Expand All @@ -47,26 +44,12 @@ rules:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- list
- create
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- update
- create
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- list
- watch
---
Expand Down
16 changes: 2 additions & 14 deletions config/helm/chart/default/tests/Common/operator/role-operator_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,6 @@ tests:
- edgeconnects/status
verbs:
- update

- apiGroups:
- apps
resources:
Expand Down Expand Up @@ -77,7 +76,6 @@ tests:
- deployments/finalizers
verbs:
- update

- apiGroups:
- ""
resources:
Expand All @@ -97,8 +95,6 @@ tests:
- get
- list
- watch
- delete
- create
- apiGroups:
- ""
resources:
Expand All @@ -115,8 +111,9 @@ tests:
resources:
- events
verbs:
- list
- create
- get
- list
- apiGroups:
- ""
resources:
Expand All @@ -134,14 +131,6 @@ tests:
- pods/log
verbs:
- get
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create

- apiGroups:
- networking.istio.io
resources:
Expand All @@ -153,7 +142,6 @@ tests:
- create
- update
- delete

- apiGroups:
- coordination.k8s.io
resources:
Expand Down
10 changes: 0 additions & 10 deletions config/helm/chart/default/tests/Common/webhook/clusterrole-webhook_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,16 +24,6 @@ tests:
- list
- watch
- update
- contains:
path: rules
content:
apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- contains:
path: rules
content:
Expand Down
54 changes: 10 additions & 44 deletions config/helm/chart/default/tests/Common/webhook/role-webhook_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,19 +21,16 @@ tests:
- apiGroups:
- ""
resources:
- services
- configmaps
- secrets
- events
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- ""
resources:
- secrets
- pods
- configmaps
verbs:
- get
- list
Expand All @@ -46,26 +43,12 @@ tests:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- list
- create
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- update
- create
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- list
- watch
- it: Role should exist on openshift
Expand All @@ -89,19 +72,16 @@ tests:
- apiGroups:
- ""
resources:
- services
- configmaps
- secrets
- events
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- ""
resources:
- secrets
- pods
- configmaps
verbs:
- get
- list
Expand All @@ -114,26 +94,12 @@ tests:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- list
- create
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- update
- create
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- list
- watch
- it: RoleBinding should exist
Expand Down
4 changes: 0 additions & 4 deletions pkg/controllers/edgeconnect/controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,6 @@ const (
defaultUpdateInterval = 30 * time.Minute

finalizerName = "server"

defaultNamespaceName = "default"
kubernetesServiceName = "kubernetes"
kubeSystemNamespaceName = "kube-system"
)

var (
Expand Down
Loading

0 comments on commit e14252e

Please sign in to comment.