Restrict config.openshift.io/networks RBAC permissions

This resource type is only used for network settings discovery to query the "cluster" Network so restrict the RBAC to only "get" access to the "cluster" resource name. This applies to both the submariner-operator: https://github.com/submariner-io/submariner/blob/85fea596f30b0e84d6962c92bb129a6b8bce8028/pkg/routeagent_driver/handlers/ovn/connection.go#L358 and route-agent components: https://github.com/submariner-io/submariner/blob/85fea596f30b0e84d6962c92bb129a6b8bce8028/pkg/routeagent_driver/handlers/ovn/connection.go#L358 Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
submariner-io · May 6, 2024 · 9d5ba43 · 9d5ba43
1 parent 586e350
commit 9d5ba43
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/config/rbac/submariner-operator/cluster_role.yaml b/config/rbac/submariner-operator/cluster_role.yaml
@@ -51,9 +51,10 @@ rules:
     resources:
       # Needed for network settings discovery
       - networks
+    resourceNames:
+      - cluster
     verbs:
       - get
-      - list
   - apiGroups:
       - monitoring.coreos.com
     resources:

diff --git a/config/rbac/submariner-route-agent/cluster_role.yaml b/config/rbac/submariner-route-agent/cluster_role.yaml
@@ -19,9 +19,10 @@ rules:
       - config.openshift.io
     resources:
       - networks
+    resourceNames:
+      - cluster
     verbs:
       - get
-      - list
   - apiGroups:
       - ""
     resources:

diff --git a/pkg/embeddedyamls/yamls.go b/pkg/embeddedyamls/yamls.go
@@ -2732,9 +2732,10 @@ rules:
     resources:
       # Needed for network settings discovery
       - networks
+    resourceNames:
+      - cluster
     verbs:
       - get
-      - list
   - apiGroups:
       - monitoring.coreos.com
     resources:
@@ -2997,9 +2998,10 @@ rules:
       - config.openshift.io
     resources:
       - networks
+    resourceNames:
+      - cluster
     verbs:
       - get
-      - list
   - apiGroups:
       - ""
     resources: