From cebc22a7b88b8aab51fe11b9d4a15bcc94fc7bfb Mon Sep 17 00:00:00 2001
From: Peter Rifel <pgrifel@gmail.com>
Date: Mon, 27 Jan 2020 17:02:12 -0600
Subject: [PATCH] Restrict ClusterRole to readonly IAMIdentityMapping access

In the spirit of least privilege security, we shouldn't give write access to the custom resources since it is not needed, only the status subresource.
---
 deploy/example.yaml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/deploy/example.yaml b/deploy/example.yaml
index aee5b1e85..c77dfe25c 100644
--- a/deploy/example.yaml
+++ b/deploy/example.yaml
@@ -27,9 +27,18 @@ rules:
 - apiGroups:
   - iamauthenticator.k8s.aws
   resources:
-  - "*"
+  - iamidentitymappings
   verbs:
-  - "*"
+  - get
+  - list
+  - watch
+- apiGroups:
+  - iamauthenticator.k8s.aws
+  resources:
+  - iamidentitymappings/status
+  verbs:
+  - patch
+  - update
 - apiGroups:
   - ""
   resources: