Further limit cluster-wide read-write permissions

Signed-off-by: Jason Hall <jasonhall@redhat.com>
tektoncd · Mar 16, 2021 · 02f5f42 · 02f5f42
1 parent 967a654
commit 02f5f42
Showing 1 changed file with 6 additions and 8 deletions.
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
@@ -50,19 +50,17 @@ metadata:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-pipelines
 rules:
+  # Read-write access to create Pods, K8s Events and PVCs (for Workspaces)
   - apiGroups: [""]
-    resources: ["pods", "pods/log", "events", "configmaps", "persistentvolumeclaims", "limitranges"]
+    resources: ["pods", "pods/log", "events", "persistentvolumeclaims"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  # Read-only access to these.
   - apiGroups: [""]
-    resources: ["secrets", "serviceaccounts"]
+    resources: ["configmaps", "limitranges", "secrets", "serviceaccounts"]
     verbs: ["get", "list", "watch"]
-    # Unclear if this access is actually required.  Simply a hold-over from the previous
-    # incarnation of the controller's ClusterRole.
+  # Read-write access to StatefulSets for Affinity Assistant.
   - apiGroups: ["apps"]
-    resources: ["deployments", "statefulsets"]
-    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
-  - apiGroups: ["apps"]
-    resources: ["deployments/finalizers"]
+    resources: ["statefulsets"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
 ---
 kind: ClusterRole