fix: remove unnecessary rbac permissions for mwh (#782)

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Azure · Mar 8, 2023 · 8a7e5b3 · 8a7e5b3
1 parent 3aa580e
commit 8a7e5b3
Show file tree

Hide file tree

Showing 4 changed files with 2 additions and 20 deletions.
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -11,22 +11,16 @@ rules:
   resources:
   - serviceaccounts
   verbs:
-  - create
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
   - mutatingwebhookconfigurations
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
   - update
   - watch
 

diff --git a/...charts/workload-identity-webhook/templates/azure-wi-webhook-manager-role-clusterrole.yaml b/...charts/workload-identity-webhook/templates/azure-wi-webhook-manager-role-clusterrole.yaml
@@ -14,21 +14,15 @@ rules:
   resources:
   - serviceaccounts
   verbs:
-  - create
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
   - mutatingwebhookconfigurations
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
   - update
   - watch
diff --git a/manifest_staging/deploy/azure-wi-webhook.yaml b/manifest_staging/deploy/azure-wi-webhook.yaml
@@ -54,22 +54,16 @@ rules:
   resources:
   - serviceaccounts
   verbs:
-  - create
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
   - mutatingwebhookconfigurations
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
   - update
   - watch
 ---

diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go
@@ -33,11 +33,11 @@ var (
 )
 
 // +kubebuilder:webhook:path=/mutate-v1-pod,mutating=true,failurePolicy=fail,groups="",resources=pods,verbs=create,versions=v1,name=mutation.azure-workload-identity.io,sideEffects=None,admissionReviewVersions=v1;v1beta1,matchPolicy=Equivalent
-// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch
+// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch
 
 // this is required for the webhook server certs generated and rotated as part of cert-controller rotator
 // +kubebuilder:rbac:groups="",namespace=azure-workload-identity-system,resources=secrets,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=get;list;watch;update
 
 // podMutator mutates pod objects to add project service account token volume
 type podMutator struct {