From 06427396c9daaeb82bf3ad9a28aa954faf500971 Mon Sep 17 00:00:00 2001 From: Wiz Abhi Date: Fri, 15 May 2026 01:25:34 +0530 Subject: [PATCH] Remove wildcard permissions from knative-serving-core ClusterRole Replace '*' wildcards in resources for Knative-owned API groups with explicit resource lists to follow the principle of least privilege. Changes: - Expand resources for serving.knative.dev, autoscaling.internal.knative.dev, and networking.internal.knative.dev apiGroups to list all CRDs explicitly including their /status and /finalizers subresources. - Preserve apiGroups: ['*'] / resources: ['*/scale'] to maintain multi-type workload scaling support added in #16540. Fixes #16599 --- config/core/200-roles/clusterrole.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/core/200-roles/clusterrole.yaml b/config/core/200-roles/clusterrole.yaml index e76a24f76652..ebea361de973 100644 --- a/config/core/200-roles/clusterrole.yaml +++ b/config/core/200-roles/clusterrole.yaml @@ -52,7 +52,7 @@ rules: resources: ["leases"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - apiGroups: ["serving.knative.dev", "autoscaling.internal.knative.dev", "networking.internal.knative.dev"] - resources: ["*", "*/status", "*/finalizers"] + resources: ["configurations", "configurations/status", "configurations/finalizers", "revisions", "revisions/status", "revisions/finalizers", "routes", "routes/status", "routes/finalizers", "services", "services/status", "services/finalizers", "domainmappings", "domainmappings/status", "domainmappings/finalizers", "metrics", "metrics/status", "metrics/finalizers", "podautoscalers", "podautoscalers/status", "podautoscalers/finalizers", "certificates", "certificates/status", "certificates/finalizers", "ingresses", "ingresses/status", "ingresses/finalizers", "serverlessservices", "serverlessservices/status", "serverlessservices/finalizers", "clusterdomainclaims", "clusterdomainclaims/status", "clusterdomainclaims/finalizers"] verbs: ["get", "list", "create", "update", "delete", "deletecollection", "patch", "watch"] - apiGroups: ["caching.internal.knative.dev"] resources: ["images"]