From 3a65176d56894968b32c435e92c16a6170ffc920 Mon Sep 17 00:00:00 2001
From: Joe Lanford <joe.lanford@gmail.com>
Date: Thu, 2 Feb 2023 13:04:42 -0500
Subject: [PATCH] reduce RBAC permissions of operator-controller

operator-controller does not (and should not ever) need permission to
create/update/patch/delete Operator objects. It needs:
- write on Operator status
- write on Operator finalizers
- read on all other operator fields
---
 config/rbac/role.yaml              | 4 ----
 controllers/operator_controller.go | 2 +-
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 02b255528..6caa5b6b1 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -21,12 +21,8 @@ rules:
   resources:
   - operators
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - operators.operatorframework.io
diff --git a/controllers/operator_controller.go b/controllers/operator_controller.go
index 306dc5a06..afb862518 100644
--- a/controllers/operator_controller.go
+++ b/controllers/operator_controller.go
@@ -51,7 +51,7 @@ func NewOperatorReconciler(c client.Client, s *runtime.Scheme, r *resolution.Ope
 	}
 }
 
-//+kubebuilder:rbac:groups=operators.operatorframework.io,resources=operators,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=operators.operatorframework.io,resources=operators,verbs=get;list;watch
 //+kubebuilder:rbac:groups=operators.operatorframework.io,resources=operators/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=operators.operatorframework.io,resources=operators/finalizers,verbs=update