fix: harden cleanup controller rbac (#7626)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-30 19:35:06 +00:00 · 2023-06-21 14:53:48 +02:00 · 2023-06-21 14:53:48 +02:00 · 511e9fefaf
commit 511e9fefaf
parent 48d64bd031
3 changed files with 26 additions and 28 deletions
--- a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
@ -42,17 +42,9 @@ rules:
    resources:
      - clustercleanuppolicies
      - cleanuppolicies
-      - clustercleanuppolicies/*
-      - cleanuppolicies/*
    verbs:
-      - create
-      - delete
-      - get
      - list
-      - patch
-      - update
      - watch
-      - deletecollection
  - apiGroups:
      - batch
    resources:
@ -65,14 +57,14 @@ rules:
      - update
      - watch
  - apiGroups:
-    - ''
-    - events.k8s.io
+      - ''
+      - events.k8s.io
    resources:
-    - events
+      - events
    verbs:
-    - create
-    - patch
-    - update
+      - create
+      - patch
+      - update
  - apiGroups:
      - authorization.k8s.io
    resources:
--- a/charts/kyverno/templates/cleanup-controller/role.yaml
+++ b/charts/kyverno/templates/cleanup-controller/role.yaml
@ -35,9 +35,16 @@ rules:
      - leases
    verbs:
      - create
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
      - delete
      - get
      - patch
      - update
+    resourceNames:
+      - kyverno-cleanup-controller
 {{- end -}}
 {{- end -}}
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@ -37888,17 +37888,9 @@ rules:
    resources:
      - clustercleanuppolicies
      - cleanuppolicies
-      - clustercleanuppolicies/*
-      - cleanuppolicies/*
    verbs:
-      - create
-      - delete
-      - get
      - list
-      - patch
-      - update
      - watch
-      - deletecollection
  - apiGroups:
      - batch
    resources:
@ -37911,14 +37903,14 @@ rules:
      - update
      - watch
  - apiGroups:
-    - ''
-    - events.k8s.io
+      - ''
+      - events.k8s.io
    resources:
-    - events
+      - events
    verbs:
-    - create
-    - patch
-    - update
+      - create
+      - patch
+      - update
  - apiGroups:
      - authorization.k8s.io
    resources:
@ -38423,10 +38415,17 @@ rules:
      - leases
    verbs:
      - create
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
      - delete
      - get
      - patch
      - update
+    resourceNames:
+      - kyverno-cleanup-controller
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role