From 68bf042386eeafd2a76357019e224361f2a5c30f Mon Sep 17 00:00:00 2001 From: Aryan-sharma11 Date: Mon, 12 Aug 2024 16:20:12 +0530 Subject: [PATCH] update permissions required by kubearmor daemonset Signed-off-by: Aryan-sharma11 --- deployments/get/objects.go | 13 +++++++++---- .../helm/KubeArmor/templates/RBAC/roles.yaml | 16 +++++++++------- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/deployments/get/objects.go b/deployments/get/objects.go index 102697604d..c7c5a44b2e 100644 --- a/deployments/get/objects.go +++ b/deployments/get/objects.go @@ -43,18 +43,23 @@ func GetClusterRole() *rbacv1.ClusterRole { Rules: []rbacv1.PolicyRule{ { APIGroups: []string{""}, - Resources: []string{"pods", "nodes", "namespaces", "configmaps"}, - Verbs: []string{"get", "patch", "list", "watch", "update"}, + Resources: []string{"namespaces"}, + Verbs: []string{"get", "list", "watch", "update"}, + }, + { + APIGroups: []string{""}, + Resources: []string{"pods", "nodes", "configmaps"}, + Verbs: []string{"get", "list", "watch"}, }, { APIGroups: []string{"apps"}, Resources: []string{"deployments", "replicasets", "daemonsets", "statefulsets"}, - Verbs: []string{"get", "patch", "list", "watch", "update"}, + Verbs: []string{"get", "list", "watch"}, }, { APIGroups: []string{"batch"}, Resources: []string{"jobs", "cronjobs"}, - Verbs: []string{"get", "patch", "list", "watch", "update"}, + Verbs: []string{"get", "list", "watch"}, }, { APIGroups: []string{"security.kubearmor.com"}, diff --git a/deployments/helm/KubeArmor/templates/RBAC/roles.yaml b/deployments/helm/KubeArmor/templates/RBAC/roles.yaml index dc96cd7017..9d2a2b4e97 100644 --- a/deployments/helm/KubeArmor/templates/RBAC/roles.yaml +++ b/deployments/helm/KubeArmor/templates/RBAC/roles.yaml @@ -3,19 +3,25 @@ kind: ClusterRole metadata: name: kubearmor-clusterrole rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - update - apiGroups: - "" resources: - pods - nodes - - namespaces - configmaps verbs: - get - - patch - list - watch - - update - apiGroups: - apps resources: @@ -25,10 +31,8 @@ rules: - statefulsets verbs: - get - - patch - list - watch - - update - apiGroups: - batch resources: @@ -36,10 +40,8 @@ rules: - cronjobs verbs: - get - - patch - list - watch - - update - apiGroups: - security.kubearmor.com resources: