Adjust auth proxy SAR to be more specific

infrawatch · Dec 11, 2023 · 6d9195b · 6d9195b
1 parent ade9cb4
commit 6d9195b
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 33 deletions.
diff --git a/...atalog/smart-gateway-operator/manifests/smart-gateway-operator.clusterserviceversion.yaml b/...atalog/smart-gateway-operator/manifests/smart-gateway-operator.clusterserviceversion.yaml
@@ -185,14 +185,6 @@ spec:
           - update
           - patch
           - watch
-        - apiGroups:
-          - ""
-          resources:
-          - namespaces
-          verbs:
-          - get
-          - list
-          - watch
         - apiGroups:
           - rbac.authorization.k8s.io
           resources:
@@ -341,14 +333,6 @@ spec:
           - rolebindings
           verbs:
           - create
-        - apiGroups:
-          - ""
-          resources:
-          - namespaces
-          verbs:
-          - get
-          - list
-          - watch
         - apiGroups:
           - rbac.authorization.k8s.io
           resources:

diff --git a/deploy/role.yaml b/deploy/role.yaml
@@ -48,14 +48,6 @@ rules:
   - update
   - patch
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
@@ -159,14 +151,6 @@ rules:
   - rolebindings
   verbs:
   - create
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

diff --git a/roles/smartgateway/templates/deployment.yaml.j2 b/roles/smartgateway/templates/deployment.yaml.j2
@@ -36,7 +36,7 @@ spec:
         - -cookie-secret-file=/etc/proxy/secrets/session_secret
         - -openshift-service-account={{ service_account_name }}
         - -upstream=http://localhost:8081/
-        - '-openshift-delegate-urls={"/": {"resource": "namespaces", "verb": "get"}}'
+        - '-openshift-delegate-urls={"/": {"namespace": "{{ ansible_operator_meta.namespace }}", "resource": "smartgateways", "group": "smartgateway.infra.watch", "verb": "get"}}'
         ports:
         - containerPort: 8083
           name: https