Skip to content

Commit

Permalink
rbac: Audit * verbs from kubevirt-tekton-tasks
Browse files Browse the repository at this point in the history 
It drops `*` verbs of tekton tasks. For this purpose, the process
followed is:

* Drop all tekton tasks permissions using `*` verbs.
* Run unit tests.
* Add required permissions.
* Run functional tests.
* Add required permissions.

This process ensures that only strictly required permissions are added.
Fix: https://bugzilla.redhat.com/show_bug.cgi?id=2223775

Signed-off-by: Javier Cano Cano <jcanocan@redhat.com>
  • Loading branch information
@jcanocan
jcanocan committed Oct 10, 2023
1 parent ef4e613 commit a5705e4
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 30 deletions.
28 changes: 15 additions & 13 deletions config/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,15 @@ rules:
- list
- update
- watch
- apiGroups:
- '*'
resources:
- configmaps
verbs:
- create
- delete
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
Expand Down Expand Up @@ -105,7 +114,6 @@ rules:
resources:
- datavolumes
verbs:
- '*'
- create
- delete
- get
Expand All @@ -126,15 +134,6 @@ rules:
- infrastructures
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- list
- watch
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -162,7 +161,6 @@ rules:
resources:
- persistentvolumeclaims
verbs:
- '*'
- create
- delete
- get
Expand Down Expand Up @@ -200,7 +198,11 @@ rules:
resources:
- secrets
verbs:
- '*'
- create
- delete
- get
- list
- patch
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -275,7 +277,7 @@ rules:
resources:
- virtualmachines/finalizers
verbs:
- '*'
- get
- apiGroups:
- monitoring.coreos.com
resources:
Expand Down
28 changes: 15 additions & 13 deletions data/olm-catalog/ssp-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,15 @@ spec:
- list
- update
- watch
- apiGroups:
- '*'
resources:
- configmaps
verbs:
- create
- delete
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
Expand Down Expand Up @@ -163,7 +172,6 @@ spec:
resources:
- datavolumes
verbs:
- '*'
- create
- delete
- get
Expand All @@ -184,15 +192,6 @@ spec:
- infrastructures
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- list
- watch
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -220,7 +219,6 @@ spec:
resources:
- persistentvolumeclaims
verbs:
- '*'
- create
- delete
- get
Expand Down Expand Up @@ -258,7 +256,11 @@ spec:
resources:
- secrets
verbs:
- '*'
- create
- delete
- get
- list
- patch
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -333,7 +335,7 @@ spec:
resources:
- virtualmachines/finalizers
verbs:
- '*'
- get
- apiGroups:
- monitoring.coreos.com
resources:
Expand Down
8 changes: 4 additions & 4 deletions internal/operands/tekton-tasks/reconcile.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,12 @@ import (
// +kubebuilder:rbac:groups=subresources.kubevirt.io,resources=virtualmachines/restart;virtualmachines/start;virtualmachines/stop,verbs=update
// +kubebuilder:rbac:groups=template.openshift.io,resources=templates,verbs=get;list;watch;create;patch;update;delete
// +kubebuilder:rbac:groups=template.openshift.io,resources=processedtemplates,verbs=create
// +kubebuilder:rbac:groups=cdi.kubevirt.io,resources=datavolumes,verbs=*
// +kubebuilder:rbac:groups=cdi.kubevirt.io,resources=datavolumes,verbs=get;create;delete
// +kubebuilder:rbac:groups=cdi.kubevirt.io,resources=datasources,verbs=get;create;delete
// +kubebuilder:rbac:groups=kubevirt.io,resources=virtualmachines/finalizers,verbs=*
// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=*
// +kubebuilder:rbac:groups=kubevirt.io,resources=virtualmachines/finalizers,verbs=get
// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;update;delete
// +kubebuilder:rbac:groups=core,resources=pods,verbs=create
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=*
// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;create;patch;delete

const (
operandName = "tekton-tasks"
Expand Down

0 comments on commit a5705e4

Please sign in to comment.