From 511e9fefaf800cc0899504f7554cfda49a09514a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charles.edouard@nirmata.com>
Date: Wed, 21 Jun 2023 14:53:48 +0200
Subject: [PATCH] fix: harden cleanup controller rbac (#7626)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 .../cleanup-controller/clusterrole.yaml       | 20 +++++---------
 .../templates/cleanup-controller/role.yaml    |  7 +++++
 config/install-latest-testing.yaml            | 27 +++++++++----------
 3 files changed, 26 insertions(+), 28 deletions(-)

diff --git a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
index d980e3d393..527dfd3c9e 100644
--- a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
@@ -42,17 +42,9 @@ rules:
     resources:
       - clustercleanuppolicies
       - cleanuppolicies
-      - clustercleanuppolicies/*
-      - cleanuppolicies/*
     verbs:
-      - create
-      - delete
-      - get
       - list
-      - patch
-      - update
       - watch
-      - deletecollection
   - apiGroups:
       - batch
     resources:
@@ -65,14 +57,14 @@ rules:
       - update
       - watch
   - apiGroups:
-    - ''
-    - events.k8s.io
+      - ''
+      - events.k8s.io
     resources:
-    - events
+      - events
     verbs:
-    - create
-    - patch
-    - update
+      - create
+      - patch
+      - update
   - apiGroups:
       - authorization.k8s.io
     resources:
diff --git a/charts/kyverno/templates/cleanup-controller/role.yaml b/charts/kyverno/templates/cleanup-controller/role.yaml
index d902dd0e3f..dc91455816 100644
--- a/charts/kyverno/templates/cleanup-controller/role.yaml
+++ b/charts/kyverno/templates/cleanup-controller/role.yaml
@@ -35,9 +35,16 @@ rules:
       - leases
     verbs:
       - create
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
       - delete
       - get
       - patch
       - update
+    resourceNames:
+      - kyverno-cleanup-controller
 {{- end -}}
 {{- end -}}
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index c2095ba81c..b8ef386b00 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -37888,17 +37888,9 @@ rules:
     resources:
       - clustercleanuppolicies
       - cleanuppolicies
-      - clustercleanuppolicies/*
-      - cleanuppolicies/*
     verbs:
-      - create
-      - delete
-      - get
       - list
-      - patch
-      - update
       - watch
-      - deletecollection
   - apiGroups:
       - batch
     resources:
@@ -37911,14 +37903,14 @@ rules:
       - update
       - watch
   - apiGroups:
-    - ''
-    - events.k8s.io
+      - ''
+      - events.k8s.io
     resources:
-    - events
+      - events
     verbs:
-    - create
-    - patch
-    - update
+      - create
+      - patch
+      - update
   - apiGroups:
       - authorization.k8s.io
     resources:
@@ -38423,10 +38415,17 @@ rules:
       - leases
     verbs:
       - create
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
       - delete
       - get
       - patch
       - update
+    resourceNames:
+      - kyverno-cleanup-controller
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role