Move SCC RBAC from ClusterRole to Role

Working on simplifying and reducing our access scope as much as possible. It appears moving SCC RBAC from ClusterRole to Role allows things to continue to work with Prometheus. It's possible further testing may reveal this will need to reverted.
infrawatch · Sep 19, 2023 · ed7bc56 · ed7bc56
1 parent 0273250
commit ed7bc56
Showing 1 changed file with 9 additions and 9 deletions.
diff --git a/roles/servicetelemetry/tasks/component_prometheus.yml b/roles/servicetelemetry/tasks/component_prometheus.yml
@@ -48,15 +48,6 @@
  - namespaces
  verbs:
  - get
- - apiGroups:
- - security.openshift.io
- resourceNames:
- - nonroot
- - nonroot-v2
- resources:
- - securitycontextconstraints
- verbs:
- - use
 
 - name: Create ClusterRoleBinding/prometheus-stf
  k8s:
@@ -102,6 +93,15 @@
  - get
  - list
  - watch
+ - apiGroups:
+ - security.openshift.io
+ resourceNames:
+ - nonroot
+ - nonroot-v2
+ resources:
+ - securitycontextconstraints
+ verbs:
+ - use
 
 - name: Create RoleBinding/prometheus-stf
  k8s: