fix: rbac too wide (#99)

mikouaj · web-flow · commit 767d31c4aff6 · 2025-03-20T17:46:12.000+01:00
diff --git a/config/internalcert/kustomization.yaml b/config/internalcert/kustomization.yaml
@@ -1,2 +1,4 @@
 resources:
+- role.yaml
+- role_binding.yaml
 - secret.yaml
diff --git a/config/internalcert/role.yaml b/config/internalcert/role.yaml
@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: role
+    app.kubernetes.io/instance: internal-cert-role
+    app.kubernetes.io/component: internal-cert
+    app.kubernetes.io/created-by: kube-startup-cpu-boost
+    app.kubernetes.io/part-of: kube-startup-cpu-boost
+    app.kubernetes.io/managed-by: kustomize
+  name: internal-cert-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
diff --git a/config/internalcert/role_binding.yaml b/config/internalcert/role_binding.yaml
@@ -1,18 +1,18 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   labels:
-    app.kubernetes.io/name: clusterrolebinding
-    app.kubernetes.io/instance: proxy-rolebinding
-    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/name: rolebinding
+    app.kubernetes.io/instance: internal-cert-rolebinding
+    app.kubernetes.io/component: internal-cert
     app.kubernetes.io/created-by: kube-startup-cpu-boost
     app.kubernetes.io/part-of: kube-startup-cpu-boost
     app.kubernetes.io/managed-by: kustomize
-  name: proxy-rolebinding
+  name: internal-cert-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: proxy-role
+  kind: Role
+  name: internal-cert-role
 subjects:
 - kind: ServiceAccount
   name: controller-manager
diff --git a/config/internalcert/secret.yaml b/config/internalcert/secret.yaml
@@ -1,5 +1,11 @@
 apiVersion: v1
 kind: Secret
 metadata:
+  labels:
+    app.kubernetes.io/name: secret
+    app.kubernetes.io/instance: webhook-secret
+    app.kubernetes.io/component: internal-cert
+    app.kubernetes.io/created-by: kube-startup-cpu-boost
+    app.kubernetes.io/part-of: kube-startup-cpu-boost
+    app.kubernetes.io/managed-by: kustomize
   name: webhook-secret
-  namespace: system
diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml
diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml
diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -9,10 +9,3 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -12,22 +12,37 @@ rules:
   - ""
   resources:
   - pods
-  - secrets
   verbs:
   - get
   - list
   - update
   - watch
 - apiGroups:
   - admissionregistration.k8s.io
+  resourceNames:
+  - kube-startup-cpu-boost-mutating-webhook-configuration
   resources:
   - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
   verbs:
   - get
-  - list
   - update
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - list
   - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resourceNames:
+  - kube-startup-cpu-boost-validating-webhook-configuration
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - update
 - apiGroups:
   - autoscaling.x-k8s.io
   resources:
diff --git a/internal/util/cert.go b/internal/util/cert.go
@@ -32,9 +32,10 @@ const (
 	webhookSecretName          = "kube-startup-cpu-boost-webhook-secret"
 )
 
-//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;update
-//+kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations,verbs=get;list;watch;update
-//+kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;update
+//+kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations,verbs=list;watch
+//+kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=list;watch
+//+kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations,resourceNames=kube-startup-cpu-boost-mutating-webhook-configuration,verbs=get;update
+//+kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,resourceNames=kube-startup-cpu-boost-validating-webhook-configuration,verbs=get;update
 
 func ManageCerts(mgr ctrl.Manager, namespace string, setupFinished chan struct{}) error {
 	dnsName := fmt.Sprintf("%s.%s.svc", webhookServiceName, namespace)
