replace wildcard permissions with explicit resources/operations (#9516)

* replace wildcard permissions with explicit resources/operations Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * core extra resources Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2024-01-29 14:35:05 +01:00 · 2024-01-29 14:35:05 +01:00 · 3234d0c1df
commit 3234d0c1df
parent 8298a9a858
6 changed files with 50 additions and 30 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -353,6 +353,7 @@ The chart values are organised per component.
 | admissionController.rbac.create | bool | `true` | Create RBAC resources |
 | admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
 | admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
+| admissionController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. |
 | admissionController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
 | admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. |
 | admissionController.replicas | int | `nil` | Desired number of pods |
@ -599,6 +600,7 @@ The chart values are organised per component.
 | reportsController.rbac.create | bool | `true` | Create RBAC resources |
 | reportsController.rbac.serviceAccount.name | string | `nil` | Service account name |
 | reportsController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
+| reportsController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. |
 | reportsController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
 | reportsController.image.registry | string | `"ghcr.io"` | Image registry |
 | reportsController.image.repository | string | `"kyverno/reports-controller"` | Image repository |
--- a/charts/kyverno/templates/NOTES.txt
+++ b/charts/kyverno/templates/NOTES.txt
@ -40,7 +40,7 @@ The following components have been installed in your cluster:
 {{- end }}

 {{- with .Values.features.validatingAdmissionPolicyReports.enabled }}
-⚠️  WARNING: Generating reports from ValidatingAdmissionPolicies require a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled.
+⚠️  WARNING: Generating reports from ValidatingAdmissionPolicies requires a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled.
 {{- end }}

 💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks.
--- a/charts/kyverno/templates/admission-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml
@ -141,14 +141,9 @@ rules:
      - get
      - list
      - watch
-  - apiGroups:
-      - '*'
-    resources:
-      - '*'
-    verbs:
-      - get
-      - list
-      - watch
+{{- with .Values.admissionController.rbac.coreClusterRole.extraResources }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
 {{- with .Values.admissionController.rbac.clusterRole.extraResources }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
--- a/charts/kyverno/templates/reports-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/reports-controller/clusterrole.yaml
@ -18,14 +18,6 @@ metadata:
  labels:
    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
 rules:
-  - apiGroups:
-      - '*'
-    resources:
-      - '*'
-    verbs:
-      - get
-      - list
-      - watch
  - apiGroups:
      - ''
    resources:
@ -93,6 +85,9 @@ rules:
    verbs:
      - create
      - patch
+{{- with .Values.reportsController.rbac.coreClusterRole.extraResources }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
 {{- with .Values.reportsController.rbac.clusterRole.extraResources }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -829,6 +829,20 @@ admissionController:
      annotations: {}
        # example.com/annotation: value

+    coreClusterRole:
+      # -- Extra resource permissions to add in the core cluster role.
+      # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
+      # @default -- See [values.yaml](values.yaml)
+      extraResources:
+        - apiGroups:
+            - '*'
+          resources:
+            - '*'
+          verbs:
+            - get
+            - list
+            - watch
+
    clusterRole:
      # -- Extra resource permissions to add in the cluster role
      extraResources: []
@ -1831,6 +1845,20 @@ reportsController:
      annotations: {}
        # example.com/annotation: value

+    coreClusterRole:
+      # -- Extra resource permissions to add in the core cluster role.
+      # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
+      # @default -- See [values.yaml](values.yaml)
+      extraResources:
+        - apiGroups:
+            - '*'
+          resources:
+            - '*'
+          verbs:
+            - get
+            - list
+            - watch
+
    clusterRole:
      # -- Extra resource permissions to add in the cluster role
      extraResources: []
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@ -50364,13 +50364,13 @@ rules:
      - list
      - watch
  - apiGroups:
-      - '*'
+    - '*'
    resources:
-      - '*'
+    - '*'
    verbs:
-      - get
-      - list
-      - watch
+    - get
+    - list
+    - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -50828,14 +50828,6 @@ metadata:
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: latest
 rules:
-  - apiGroups:
-      - '*'
-    resources:
-      - '*'
-    verbs:
-      - get
-      - list
-      - watch
  - apiGroups:
      - ''
    resources:
@ -50903,6 +50895,14 @@ rules:
    verbs:
      - create
      - patch
+  - apiGroups:
+    - '*'
+    resources:
+    - '*'
+    verbs:
+    - get
+    - list
+    - watch
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1