feat: add more granular rbac rules to remove wildcards (#9507)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-04-08 10:04:25 +00:00 · 2024-01-24 17:07:18 +01:00 · 2024-01-24 17:07:18 +01:00 · 451d362104
commit 451d362104
parent 3ef598c155
3 changed files with 84 additions and 0 deletions
--- a/charts/kyverno/templates/admission-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml
@ -58,6 +58,7 @@ rules:
      - clusteradmissionreports
      - backgroundscanreports
      - clusterbackgroundscanreports
+      - policyexceptions
    verbs:
      - create
      - delete
@ -98,6 +99,34 @@ rules:
      - subjectaccessreviews
    verbs:
      - create
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - update
+      - patch
+      - get
+      - list
+      - watch
  - apiGroups:
      - '*'
    resources:
--- a/charts/kyverno/templates/reports-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/reports-controller/clusterrole.yaml
@ -26,6 +26,16 @@ rules:
      - get
      - list
      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+      - configmaps
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
  - apiGroups:
      - kyverno.io
    resources:
@ -33,6 +43,9 @@ rules:
      - clusteradmissionreports
      - backgroundscanreports
      - clusterbackgroundscanreports
+      - policyexceptions
+      - policies
+      - clusterpolicies
    verbs:
      - create
      - delete
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@ -49265,6 +49265,7 @@ rules:
      - clusteradmissionreports
      - backgroundscanreports
      - clusterbackgroundscanreports
+      - policyexceptions
    verbs:
      - create
      - delete
@ -49305,6 +49306,34 @@ rules:
      - subjectaccessreviews
    verbs:
      - create
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - update
+      - patch
+      - get
+      - list
+      - watch
  - apiGroups:
      - '*'
    resources:
@ -49747,6 +49776,16 @@ rules:
      - get
      - list
      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+      - configmaps
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
  - apiGroups:
      - kyverno.io
    resources:
@ -49754,6 +49793,9 @@ rules:
      - clusteradmissionreports
      - backgroundscanreports
      - clusterbackgroundscanreports
+      - policyexceptions
+      - policies
+      - clusterpolicies
    verbs:
      - create
      - delete