From f4b5fd47542cce0e4588dc00dfe53998c4b67c3f Mon Sep 17 00:00:00 2001 From: Adam Harwayne Date: Wed, 6 Jan 2021 01:40:43 -0800 Subject: [PATCH] Webhook has only namespaced Secret permissions, rather than cluster-wide. (#4684) --- config/200-webhook-role.yaml | 1 + config/core/200-webhook-serviceaccount.yaml | 18 +++++++++++ config/core/roles/webhook-clusterrole.yaml | 1 - config/core/roles/webhook-role.yaml | 34 +++++++++++++++++++++ 4 files changed, 53 insertions(+), 1 deletion(-) create mode 120000 config/200-webhook-role.yaml create mode 100644 config/core/roles/webhook-role.yaml diff --git a/config/200-webhook-role.yaml b/config/200-webhook-role.yaml new file mode 120000 index 00000000000..6d721f922f6 --- /dev/null +++ b/config/200-webhook-role.yaml @@ -0,0 +1 @@ +core/roles/webhook-role.yaml \ No newline at end of file diff --git a/config/core/200-webhook-serviceaccount.yaml b/config/core/200-webhook-serviceaccount.yaml index 0994f5518bf..9ca8d1e38a6 100644 --- a/config/core/200-webhook-serviceaccount.yaml +++ b/config/core/200-webhook-serviceaccount.yaml @@ -39,6 +39,24 @@ roleRef: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + namespace: knative-eventing + name: eventing-webhook + labels: + eventing.knative.dev/release: devel +subjects: + - kind: ServiceAccount + name: eventing-webhook + namespace: knative-eventing +roleRef: + kind: Role + name: knative-eventing-webhook + apiGroup: rbac.authorization.k8s.io + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/config/core/roles/webhook-clusterrole.yaml b/config/core/roles/webhook-clusterrole.yaml index d0a26029061..68c45c3995d 100644 --- a/config/core/roles/webhook-clusterrole.yaml +++ b/config/core/roles/webhook-clusterrole.yaml @@ -33,7 +33,6 @@ rules: - apiGroups: - "" resources: - - "secrets" - "namespaces" verbs: - "get" diff --git a/config/core/roles/webhook-role.yaml b/config/core/roles/webhook-role.yaml new file mode 100644 index 00000000000..fffd5fe3bfd --- /dev/null +++ b/config/core/roles/webhook-role.yaml @@ -0,0 +1,34 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: knative-eventing + name: knative-eventing-webhook + labels: + eventing.knative.dev/release: devel +rules: + # For manipulating certs into secrets. + - apiGroups: + - "" + resources: + - "secrets" + verbs: + - "get" + - "create" + - "update" + - "list" + - "watch" + - "patch"