Skip to content

Commit dffa051

Browse files
chiragkyalchiragkyal
committed
Update role and clusterRole permissions
Signed-off-by: chiragkyal <[email protected]>
1 parent c4b6625 commit dffa051

File tree

4 files changed

+30
-67
lines changed

4 files changed

+30
-67
lines changed

bundle/manifests/external-secrets-operator.clusterserviceversion.yaml

Lines changed: 7 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -204,7 +204,7 @@ metadata:
204204
categories: Security
205205
console.openshift.io/disable-operand-delete: "true"
206206
containerImage: openshift.io/external-secrets-operator:latest
207-
createdAt: "2025-08-19T13:00:56Z"
207+
createdAt: "2025-08-20T10:27:07Z"
208208
features.operators.openshift.io/cnf: "false"
209209
features.operators.openshift.io/cni: "false"
210210
features.operators.openshift.io/csi: "false"
@@ -429,8 +429,6 @@ spec:
429429
resources:
430430
- customresourcedefinitions
431431
verbs:
432-
- create
433-
- delete
434432
- get
435433
- patch
436434
- update
@@ -588,54 +586,38 @@ spec:
588586
- update
589587
- apiGroups:
590588
- rbac.authorization.k8s.io
591-
resourceNames:
592-
- external-secrets-cert-controller
593-
- external-secrets-controller
594589
resources:
595590
- clusterrolebindings
591+
- clusterroles
596592
verbs:
597593
- create
598594
- delete
599595
- get
596+
- list
600597
- patch
601598
- update
599+
- watch
602600
- apiGroups:
603601
- rbac.authorization.k8s.io
604602
resources:
605-
- clusterrolebindings
606-
- clusterroles
603+
- rolebindings
604+
- roles
607605
verbs:
608606
- list
609607
- watch
610608
- apiGroups:
611609
- rbac.authorization.k8s.io
612610
resourceNames:
613-
- external-secrets-cert-controller
614-
- external-secrets-controller
615-
- external-secrets-edit
616-
- external-secrets-servicebindings
617-
- external-secrets-view
618-
resources:
619-
- clusterroles
620-
verbs:
621-
- create
622-
- delete
623-
- get
624-
- patch
625-
- update
626-
- apiGroups:
627-
- rbac.authorization.k8s.io
611+
- external-secrets-leaderelection
628612
resources:
629613
- rolebindings
630614
- roles
631615
verbs:
632616
- create
633617
- delete
634618
- get
635-
- list
636619
- patch
637620
- update
638-
- watch
639621
- apiGroups:
640622
- authentication.k8s.io
641623
resources:

config/rbac/role.yaml

Lines changed: 6 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -91,8 +91,6 @@ rules:
9191
resources:
9292
- customresourcedefinitions
9393
verbs:
94-
- create
95-
- delete
9694
- get
9795
- patch
9896
- update
@@ -250,51 +248,35 @@ rules:
250248
- update
251249
- apiGroups:
252250
- rbac.authorization.k8s.io
253-
resourceNames:
254-
- external-secrets-cert-controller
255-
- external-secrets-controller
256251
resources:
257252
- clusterrolebindings
253+
- clusterroles
258254
verbs:
259255
- create
260256
- delete
261257
- get
258+
- list
262259
- patch
263260
- update
261+
- watch
264262
- apiGroups:
265263
- rbac.authorization.k8s.io
266264
resources:
267-
- clusterrolebindings
268-
- clusterroles
265+
- rolebindings
266+
- roles
269267
verbs:
270268
- list
271269
- watch
272270
- apiGroups:
273271
- rbac.authorization.k8s.io
274272
resourceNames:
275-
- external-secrets-cert-controller
276-
- external-secrets-controller
277-
- external-secrets-edit
278-
- external-secrets-servicebindings
279-
- external-secrets-view
280-
resources:
281-
- clusterroles
282-
verbs:
283-
- create
284-
- delete
285-
- get
286-
- patch
287-
- update
288-
- apiGroups:
289-
- rbac.authorization.k8s.io
273+
- external-secrets-leaderelection
290274
resources:
291275
- rolebindings
292276
- roles
293277
verbs:
294278
- create
295279
- delete
296280
- get
297-
- list
298281
- patch
299282
- update
300-
- watch

hack/validate-rbac-resourcenames.sh

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -109,14 +109,6 @@ validate_deployments() {
109109
validate_resource_type "Deployments" "deployments" "Deployment" "extract_asset_names"
110110
}
111111

112-
validate_clusterroles() {
113-
validate_resource_type "ClusterRoles" "clusterroles" "ClusterRole" "extract_asset_names"
114-
}
115-
116-
validate_clusterrolebindings() {
117-
validate_resource_type "ClusterRoleBindings" "clusterrolebindings" "ClusterRoleBinding" "extract_asset_names"
118-
}
119-
120112
validate_webhooks() {
121113
validate_resource_type "ValidatingWebhookConfigurations" "validatingwebhookconfigurations" "ValidatingWebhookConfiguration" "extract_asset_names"
122114
}
@@ -125,6 +117,14 @@ validate_crds() {
125117
validate_resource_type "CustomResourceDefinitions" "customresourcedefinitions" "" "extract_crd_names"
126118
}
127119

120+
validate_roles() {
121+
validate_resource_type "Roles" "roles" "Role" "extract_asset_names"
122+
}
123+
124+
validate_rolebindings() {
125+
validate_resource_type "RoleBindings" "rolebindings" "RoleBinding" "extract_asset_names"
126+
}
127+
128128
main() {
129129
local exit_code=0
130130

@@ -133,14 +133,14 @@ main() {
133133

134134
validate_deployments || exit_code=1
135135
echo
136-
validate_clusterroles || exit_code=1
137-
echo
138-
validate_clusterrolebindings || exit_code=1
139-
echo
140136
validate_webhooks || exit_code=1
141137
echo
142138
validate_crds || exit_code=1
143139
echo
140+
validate_roles || exit_code=1
141+
echo
142+
validate_rolebindings || exit_code=1
143+
echo
144144

145145
if [[ $exit_code -eq 0 ]]; then
146146
echo "All RBAC resourceNames validations passed!"

pkg/controller/external_secrets/controller.go

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -96,11 +96,10 @@ type Reconciler struct {
9696
// +kubebuilder:rbac:groups=operator.openshift.io,resources=externalsecrets/finalizers,verbs=update
9797
// +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch
9898

99-
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=list;watch
100-
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;create;update;patch;delete,resourceNames=external-secrets-controller;external-secrets-cert-controller;external-secrets-edit;external-secrets-view;external-secrets-servicebindings
101-
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=list;watch
102-
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;create;update;patch;delete,resourceNames=external-secrets-controller;external-secrets-cert-controller
103-
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=get;list;watch;create;update;patch;delete
99+
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
100+
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=list;watch
101+
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=get;create;update;patch;delete,resourceNames=external-secrets-leaderelection
102+
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;create;update;patch;delete,resourceNames=external-secrets-leaderelection
104103
// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=list;watch
105104
// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=get;create;update;patch,resourceNames=externalsecret-validate;secretstore-validate
106105
// +kubebuilder:rbac:groups="",resources=events;secrets;services;serviceaccounts,verbs=get;list;watch;create;update;delete;patch
@@ -113,7 +112,7 @@ type Reconciler struct {
113112
// +kubebuilder:rbac:groups="",resources=serviceaccounts/token,verbs=create
114113
// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
115114
// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=list;watch
116-
// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;create;update;patch;delete,resourceNames=externalsecrets.external-secrets.io;secretstores.external-secrets.io;clustersecretstores.external-secrets.io;clusterexternalsecrets.external-secrets.io;pushsecrets.external-secrets.io;clusterpushsecrets.external-secrets.io;acraccesstokens.generators.external-secrets.io;clustergenerators.generators.external-secrets.io;ecrauthorizationtokens.generators.external-secrets.io;gcraccesstokens.generators.external-secrets.io;generatorstates.generators.external-secrets.io;githubaccesstokens.generators.external-secrets.io;grafanas.generators.external-secrets.io;mfas.generators.external-secrets.io;passwords.generators.external-secrets.io;quayaccesstokens.generators.external-secrets.io;sshkeys.generators.external-secrets.io;stssessiontokens.generators.external-secrets.io;uuids.generators.external-secrets.io;vaultdynamicsecrets.generators.external-secrets.io;webhooks.generators.external-secrets.io;externalsecrets.operator.openshift.io;externalsecretsmanagers.operator.openshift.io
115+
// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;update;patch,resourceNames=externalsecrets.external-secrets.io;secretstores.external-secrets.io;clustersecretstores.external-secrets.io;clusterexternalsecrets.external-secrets.io;pushsecrets.external-secrets.io;clusterpushsecrets.external-secrets.io;acraccesstokens.generators.external-secrets.io;clustergenerators.generators.external-secrets.io;ecrauthorizationtokens.generators.external-secrets.io;gcraccesstokens.generators.external-secrets.io;generatorstates.generators.external-secrets.io;githubaccesstokens.generators.external-secrets.io;grafanas.generators.external-secrets.io;mfas.generators.external-secrets.io;passwords.generators.external-secrets.io;quayaccesstokens.generators.external-secrets.io;sshkeys.generators.external-secrets.io;stssessiontokens.generators.external-secrets.io;uuids.generators.external-secrets.io;vaultdynamicsecrets.generators.external-secrets.io;webhooks.generators.external-secrets.io;externalsecrets.operator.openshift.io;externalsecretsmanagers.operator.openshift.io
117116
// +kubebuilder:rbac:groups=external-secrets.io,resources=clusterexternalsecrets;clustersecretstores;clusterpushsecrets;externalsecrets;secretstores;pushsecrets,verbs=get;list;watch;create;update;patch;delete;deletecollection
118117
// +kubebuilder:rbac:groups=external-secrets.io,resources=clusterexternalsecrets/finalizers;clustersecretstores/finalizers;externalsecrets/finalizers;pushsecrets/finalizers;secretstores/finalizers;clusterpushsecrets/finalizers,verbs=get;update;patch
119118
// +kubebuilder:rbac:groups=external-secrets.io,resources=clusterexternalsecrets/status;clustersecretstores/status;externalsecrets/status;pushsecrets/status;secretstores/status;clusterpushsecrets/status,verbs=get;update;patch

0 commit comments

Comments
 (0)