OCPBUGS-31353: Minimize wildcard privileges for CRDs and namespaces

- Restricted namespace permissions exclusively to operand namespaces (routers and canary). - Scoped CRD permissions to readonly to enable infromer watches. - Restricted wildcard CRD permissions exclusively to Gateway API.
openshift · Nov 26, 2024 · 71e83f9 · 71e83f9
1 parent 8be1749
commit 71e83f9
Showing 1 changed file with 24 additions and 1 deletion.
diff --git a/manifests/00-cluster-role.yaml b/manifests/00-cluster-role.yaml
@@ -15,7 +15,6 @@ rules:
   - ""
   resources:
   - configmaps
-  - namespaces
   - serviceaccounts
   - endpoints
   - services
@@ -25,6 +24,16 @@ rules:
   verbs:
   - "*"
 
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  resourceNames:
+  - openshift-ingress
+  - openshift-ingress-canary
+  verbs:
+  - "*"
+
 - apiGroups:
   - ""
   resources:
@@ -172,6 +181,20 @@ rules:
   resources:
   - customresourcedefinitions
   verbs:
+  - get
+  - list
+  - watch
+
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  resourceNames:
+  - gatewayclasses.gateway.networking.k8s.io
+  - gateways.gateway.networking.k8s.io
+  - httproutes.gateway.networking.k8s.io
+  - referencegrants.gateway.networking.k8s.io
+  verbs:
   - '*'
 
 - apiGroups: