reduce RBAC permissions of operator-controller (#116)

joelanford · web-flow · commit 9a0ccd25c688 · 2023-02-02T14:44:56.000-05:00
operator-controller does not (and should not ever) need permission to
create/update/patch/delete Operator objects. It needs:
- write on Operator status
- write on Operator finalizers
- read on all other operator fields
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -21,12 +21,8 @@ rules:
   resources:
   - operators
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - operators.operatorframework.io
diff --git a/controllers/operator_controller.go b/controllers/operator_controller.go
@@ -51,7 +51,7 @@ func NewOperatorReconciler(c client.Client, s *runtime.Scheme, r *resolution.Ope
 	}
 }
 
-//+kubebuilder:rbac:groups=operators.operatorframework.io,resources=operators,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=operators.operatorframework.io,resources=operators,verbs=get;list;watch
 //+kubebuilder:rbac:groups=operators.operatorframework.io,resources=operators/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=operators.operatorframework.io,resources=operators/finalizers,verbs=update
 

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ func NewOperatorReconciler(c client.Client, s runtime.Scheme, r resolution.Ope`
`51`	`51`	`}`
`52`	`52`	`}`
`53`	`53`
`54`		`-//+kubebuilder:rbac:groups=operators.operatorframework.io,resources=operators,verbs=get;list;watch;create;update;patch;delete`
	`54`	`+//+kubebuilder:rbac:groups=operators.operatorframework.io,resources=operators,verbs=get;list;watch`
`55`	`55`	`//+kubebuilder:rbac:groups=operators.operatorframework.io,resources=operators/status,verbs=get;update;patch`
`56`	`56`	`//+kubebuilder:rbac:groups=operators.operatorframework.io,resources=operators/finalizers,verbs=update`
`57`	`57`