From 626013f8468ebe0f29e7adcdd40a5423f83d9b09 Mon Sep 17 00:00:00 2001 From: Alan Clucas Date: Thu, 27 Oct 2022 10:23:49 +0100 Subject: [PATCH] Restrict RBAC permissions --- deploy/cluster_role.yaml | 31 +++++++++++++++++++++++++++++++ deploy/cluster_role_binding.yaml | 11 +++++++++++ deploy/kustomization.yaml | 2 ++ deploy/role.yaml | 32 +++++++++----------------------- deploy/role_binding.yaml | 4 ++-- 5 files changed, 55 insertions(+), 25 deletions(-) create mode 100644 deploy/cluster_role.yaml create mode 100644 deploy/cluster_role_binding.yaml diff --git a/deploy/cluster_role.yaml b/deploy/cluster_role.yaml new file mode 100644 index 00000000..f9edd290 --- /dev/null +++ b/deploy/cluster_role.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ext-postgres-operator +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - '*' +- apiGroups: + - apps + resourceNames: + - ext-postgres-operator + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - db.movetokube.com + resources: + - '*' + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - '*' diff --git a/deploy/cluster_role_binding.yaml b/deploy/cluster_role_binding.yaml new file mode 100644 index 00000000..bd95e040 --- /dev/null +++ b/deploy/cluster_role_binding.yaml @@ -0,0 +1,11 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ext-postgres-operator +subjects: +- kind: ServiceAccount + name: ext-postgres-operator +roleRef: + kind: ClusterRole + name: ext-postgres-operator + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml index 50eebf9c..91358dd7 100644 --- a/deploy/kustomization.yaml +++ b/deploy/kustomization.yaml @@ -7,6 +7,8 @@ resources: - crds/db.movetokube.com_postgres_crd.yaml - crds/db.movetokube.com_postgresusers_crd.yaml - operator.yaml +- cluster_role.yaml +- cluster_role_binding.yaml - role.yaml - role_binding.yaml - service_account.yaml diff --git a/deploy/role.yaml b/deploy/role.yaml index fe890467..5dc30e6d 100644 --- a/deploy/role.yaml +++ b/deploy/role.yaml @@ -1,40 +1,26 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: ext-postgres-operator rules: - apiGroups: - "" resources: - - pods - - services - - endpoints - - persistentvolumeclaims - - events - configmaps - secrets + - services verbs: - '*' - apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - '*' -- apiGroups: - - apps - resourceNames: - - ext-postgres-operator + - "" resources: - - deployments/finalizers + - pods verbs: - - update + - 'get' - apiGroups: - - db.movetokube.com + - "apps" resources: - - '*' + - replicasets + - deployments verbs: - - '*' + - 'get' diff --git a/deploy/role_binding.yaml b/deploy/role_binding.yaml index bd95e040..3198ede7 100644 --- a/deploy/role_binding.yaml +++ b/deploy/role_binding.yaml @@ -1,4 +1,4 @@ -kind: ClusterRoleBinding +kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ext-postgres-operator @@ -6,6 +6,6 @@ subjects: - kind: ServiceAccount name: ext-postgres-operator roleRef: - kind: ClusterRole + kind: Role name: ext-postgres-operator apiGroup: rbac.authorization.k8s.io