Reduce permission for cluster manager and klusterlet

Signed-off-by: Jian Qiu <[email protected]>

deploy/cluster-manager/config/rbac/cluster_role.yaml

@@ -5,8 +5,11 @@ metadata:
 rules:
 # Allow the registration-operator to create workload
 - apiGroups: [""]
-  resources: ["configmaps", "namespaces", "serviceaccounts", "services", "pods"]
+  resources: ["configmaps", "namespaces", "serviceaccounts", "services"]
   verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["get", "list", "watch", "update", "patch", "delete"]

deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml

@@ -59,7 +59,7 @@ metadata:
     categories: Integration & Delivery,OpenShift Optional
     certified: "false"
     containerImage: quay.io/open-cluster-management/registration-operator:latest
-    createdAt: "2023-11-28T10:34:20Z"
+    createdAt: "2023-11-29T09:54:38Z"
     description: Manages the installation and upgrade of the ClusterManager.
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -118,7 +118,6 @@ spec:
           - namespaces
           - serviceaccounts
           - services
-          - pods
           verbs:
           - create
           - get
@@ -128,6 +127,12 @@ spec:
           - patch
           - delete
           - deletecollection
+        - apiGroups:
+          - ""
+          resources:
+          - pods
+          verbs:
+          - get
         - apiGroups:
           - ""
           resourceNames:

deploy/klusterlet/config/rbac/cluster_role.yaml

@@ -5,8 +5,18 @@ metadata:
 rules:
 # Allow the registration-operator to create workload
 - apiGroups: [""]
-  resources: ["secrets", "configmaps", "serviceaccounts"]
+  resources: ["configmaps", "serviceaccounts"]
   verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "update", "get", "list", "watch"]
+  resourceNames:
+    - "open-cluster-management-image-pull-credentials"
+    - "hub-kubeconfig-secret"
+    - "external-managed-kubeconfig"
+    - "external-managed-kubeconfig-work"
+    - "external-managed-kubeconfig-registration"
+    - "external-managed-kubeconfig-agent"
 # get pods and replicasets is for event creation
 - apiGroups: [""]
   resources: ["pods"]

deploy/klusterlet/olm-catalog/klusterlet/manifests/klusterlet.clusterserviceversion.yaml

@@ -31,7 +31,7 @@ metadata:
     categories: Integration & Delivery,OpenShift Optional
     certified: "false"
     containerImage: quay.io/open-cluster-management/registration-operator:latest
-    createdAt: "2023-11-28T10:34:20Z"
+    createdAt: "2023-11-29T09:54:38Z"
     description: Manages the installation and upgrade of the Klusterlet.
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
@@ -93,7 +93,6 @@ spec:
         - apiGroups:
           - ""
           resources:
-          - secrets
           - configmaps
           - serviceaccounts
           verbs:
@@ -104,6 +103,23 @@ spec:
           - watch
           - patch
           - delete
+        - apiGroups:
+          - ""
+          resourceNames:
+          - open-cluster-management-image-pull-credentials
+          - hub-kubeconfig-secret
+          - external-managed-kubeconfig
+          - external-managed-kubeconfig-work
+          - external-managed-kubeconfig-registration
+          - external-managed-kubeconfig-agent
+          resources:
+          - secrets
+          verbs:
+          - create
+          - update
+          - get
+          - list
+          - watch
         - apiGroups:
           - ""
           resources:

manifests/cluster-manager/hub/cluster-manager-addon-manager-clusterrole.yaml

@@ -5,8 +5,11 @@ metadata:
 rules:
 # Allow controller to get/list/watch/create/delete configmaps/events
 - apiGroups: [""]
-  resources: ["configmaps", "events", "pods"]
+  resources: ["configmaps", "events"]
   verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 - apiGroups: ["apps"]
   resources: ["replicasets"]
   verbs: ["get"] 

manifests/cluster-manager/hub/cluster-manager-manifestworkreplicaset-clusterrole.yaml

@@ -4,8 +4,11 @@ metadata:
   name: open-cluster-management:{{ .ClusterManagerName }}-work:controller
 rules:
 - apiGroups: [ "" ]
-  resources: [ "configmaps", "pods"]
+  resources: [ "configmaps"]
   verbs: [ "get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 # Allow create subjectaccessreviews
 - apiGroups: ["authorization.k8s.io"]
   resources: ["subjectaccessreviews"]

manifests/cluster-manager/hub/cluster-manager-placement-clusterrole.yaml

@@ -5,8 +5,11 @@ metadata:
 rules:
 # Allow controller to get/list/watch/create/delete configmaps
 - apiGroups: [""]
-  resources: ["configmaps", "pods"]
+  resources: ["configmaps"]
   verbs: ["get", "list", "watch", "create", "delete", "update"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 - apiGroups: ["apps"]
   resources: ["replicasets"]
   verbs: ["get"] 

manifests/cluster-manager/hub/cluster-manager-registration-clusterrole.yaml

@@ -12,8 +12,11 @@ rules:
   verbs: ["update"]
 # Allow hub to get/list/watch/create/delete namespace and service account
 - apiGroups: [""]
-  resources: ["namespaces", "serviceaccounts", "configmaps", "pods"]
+  resources: ["namespaces", "serviceaccounts", "configmaps"]
   verbs: ["get", "list", "watch", "create", "delete", "update"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 - apiGroups: ["", "events.k8s.io"]
   resources: ["events"]
   verbs: ["create", "patch", "update"]