Allow tigera-network-admin to create any secret

tigera · Nov 27, 2023 · 939336d · 939336d
1 parent 770902a
commit 939336d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go
@@ -1783,7 +1783,15 @@ func (c *apiServerComponent) tigeraNetworkAdminClusterRole() *rbacv1.ClusterRole
 			Resources: []string{"securityeventwebhooks"},
 			Verbs:     []string{"get", "list", "update", "patch", "create", "delete"},
 		},
-		// Allow the user to create and patch webhooks-secret secret.
+		// Allow the user to create secrets.
+		{
+			APIGroups: []string{""},
+			Resources: []string{
+				"secrets",
+			},
+			Verbs: []string{"create"},
+		},
+		// Allow the user to patch webhooks-secret secret.
 		{
 			APIGroups: []string{""},
 			Resources: []string{
@@ -1792,7 +1800,7 @@ func (c *apiServerComponent) tigeraNetworkAdminClusterRole() *rbacv1.ClusterRole
 			ResourceNames: []string{
 				"webhooks-secret",
 			},
-			Verbs: []string{"create", "patch"},
+			Verbs: []string{"patch"},
 		},
 	}
 

diff --git a/pkg/render/apiserver_test.go b/pkg/render/apiserver_test.go
@@ -1510,11 +1510,16 @@ var (
 			Resources: []string{"securityeventwebhooks"},
 			Verbs:     []string{"get", "list", "update", "patch", "create", "delete"},
 		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"secrets"},
+			Verbs:     []string{"create"},
+		},
 		{
 			APIGroups:     []string{""},
 			Resources:     []string{"secrets"},
 			ResourceNames: []string{"webhooks-secret"},
-			Verbs:         []string{"create", "patch"},
+			Verbs:         []string{"patch"},
 		},
 	}
 )