chore: restrict default permissions (#6972)

* restrict admission permissions Signed-off-by: ShutingZhao <shuting@nirmata.com> * restrict background permissions Signed-off-by: ShutingZhao <shuting@nirmata.com> * update install.yaml Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2023-04-24 00:50:47 +08:00 · 2023-04-24 00:50:47 +08:00 · a247d13eb5
commit a247d13eb5
parent 5a6b3c86f6
3 changed files with 0 additions and 70 deletions
--- a/charts/kyverno/templates/admission-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml
@ -96,40 +96,6 @@ rules:
      - get
      - list
      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-      - ingressclasses
-      - networkpolicies
-    verbs:
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - ''
-    resources:
-      - namespaces
-      - configmaps
-      - secrets
-      - resourcequotas
-      - limitranges
-    verbs:
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - rbac.authorization.k8s.io
-    resources:
-      - rolebindings
-      - roles
-    verbs:
-      - create
-      - update
-      - patch
-      - delete
 {{- with .Values.admissionController.rbac.clusterRole.extraResources }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
--- a/charts/kyverno/templates/background-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/background-controller/clusterrole.yaml
@ -63,7 +63,6 @@ rules:
  - apiGroups:
      - ""
    resources:
-      - namespaces
      - configmaps
      - secrets
      - resourcequotas
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@ -33970,40 +33970,6 @@ rules:
      - get
      - list
      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-      - ingressclasses
-      - networkpolicies
-    verbs:
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - ''
-    resources:
-      - namespaces
-      - configmaps
-      - secrets
-      - resourcequotas
-      - limitranges
-    verbs:
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - rbac.authorization.k8s.io
-    resources:
-      - rolebindings
-      - roles
-    verbs:
-      - create
-      - update
-      - patch
-      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -34076,7 +34042,6 @@ rules:
  - apiGroups:
      - ""
    resources:
-      - namespaces
      - configmaps
      - secrets
      - resourcequotas