chore: Limit access for remote and istio namespaces

config/rbac/namespace_bindings/istio_namespace_role.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-role-istio-namespace
+  namespace: istio-system
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - secrets
+  verbs:
+    - list
+    - watch
+    - create
+    - delete
+- apiGroups:
+    - cert-manager.io
+  resources:
+    - certificates
+  verbs:
+    - patch
+    - list
+    - watch
+    - get
+    - create
+    - delete
+- apiGroups:
+    - cert-manager.io
+  resources:
+    - issuers
+  verbs:
+    - list
+    - watch

config/rbac/namespace_bindings/istio_namespace_role_binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: manager-rolebinding-istio-namespace
+  namespace: istio-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: manager-role-istio-namespace
+subjects:
+  - kind: ServiceAccount
+    name: controller-manager

config/rbac/namespace_bindings/kustomization.yaml

@@ -14,3 +14,7 @@ resources:
   - metrics_role_binding.yaml
   # Comment the following to disable manifest integration
   - manifest_role_binding.yaml
+  - istio_namespace_role.yaml
+  - remote_namespace_role.yaml
+  - istio_namespace_role_binding.yaml
+  - remote_namespace_role_binding.yaml

config/rbac/namespace_bindings/remote_namespace_role.yaml

@@ -0,0 +1,42 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-role-remote-namespace
+  namespace: kyma-system
+rules:
+- apiGroups:
+    - operator.kyma-project.io
+  resources:
+    - kymas
+  verbs:
+    - list
+    - watch
+    - delete
+    - get
+    - create
+    - patch
+    - update
+- apiGroups:
+    - operator.kyma-project.io
+  resources:
+    - kymas/finalizers
+  verbs:
+    - update
+- apiGroups:
+    - operator.kyma-project.io
+  resources:
+    - kymas/status
+  verbs:
+    - get
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - operator.kyma-project.io
+  resources:
+    - moduletemplates
+  verbs:
+    - list
+    - watch
+    - delete

config/rbac/namespace_bindings/remote_namespace_role_binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: manager-rolebinding-remote-namespace
+  namespace: kyma-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: manager-role-remote-namespace
+subjects:
+  - kind: ServiceAccount
+    name: controller-manager

config/rbac/namespace_bindings/role_binding.yaml

@@ -6,32 +6,6 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: manager-role
-subjects:
-  - kind: ServiceAccount
-    name: controller-manager
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: manager-rolebinding-kyma-system
-  namespace: kyma-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: manager-role
-subjects:
-  - kind: ServiceAccount
-    name: controller-manager
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: manager-rolebinding-istio-system
-  namespace: istio-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: manager-role
 subjects:
   - kind: ServiceAccount
     name: controller-manager

internal/cache_options.go

@@ -41,9 +41,8 @@ func (c *KcpCacheOptions) GetCacheOptions() cache.Options {
 			&apicorev1.Secret{}: {
 				Label: k8slabels.Everything(),
 				Namespaces: map[string]cache.Config{
-					c.kcpNamespace:    {},
-					c.istioNamespace:  {},
-					c.remoteNamespace: {},
+					c.kcpNamespace:   {},
+					c.istioNamespace: {},
 				},
 			},
 			&v1beta2.Kyma{}: {

tests/e2e/rbac_privileges_test.go

@@ -1,9 +1,10 @@
 package e2e_test
 
 import (
+	apirbacv1 "k8s.io/api/rbac/v1"
+
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
-	apirbacv1 "k8s.io/api/rbac/v1"
 
 	. "github.com/kyma-project/lifecycle-manager/pkg/testutils"
 )
@@ -30,7 +31,7 @@ var _ = Describe("RBAC Privileges", func() {
 			Expect(GetClusterRoleBindingPolicyRules(ctx, controlPlaneClient, "klm-manager-role-crd",
 				klmClusterRoleBindings)).To(Equal(crdRoleRules))
 
-			By("And KLM Service Account has the correct RoleBindings in kcp-system namespaces")
+			By("And KLM Service Account has the correct RoleBindings in kcp-system namespace")
 			kcpSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller-manager",
 				"kcp-system")
 			Expect(err).ToNot(HaveOccurred())
@@ -171,23 +172,64 @@ var _ = Describe("RBAC Privileges", func() {
 			Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-manager-role-manifest",
 				kcpSystemKlmRoleBindings)).To(Equal(manifestRoleRules))
 
-			By("And KLM Service Account has the correct RoleBindings in istio-system namespaces")
+			By("And KLM Service Account has the correct RoleBindings in istio-system namespace")
+			istioNamespaceRoleRules := []apirbacv1.PolicyRule{
+				{
+					APIGroups: []string{""},
+					Resources: []string{"secrets"},
+					Verbs:     []string{"list", "watch", "create", "delete"},
+				},
+				{
+					APIGroups: []string{"cert-manager.io"},
+					Resources: []string{"certificates"},
+					Verbs:     []string{"patch", "list", "watch", "get", "create", "delete"},
+				},
+				{
+					APIGroups: []string{"cert-manager.io"},
+					Resources: []string{"issuers"},
+					Verbs:     []string{"list", "watch"},
+				},
+			}
 			istioSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller-manager",
 				"istio-system")
 			Expect(err).ToNot(HaveOccurred())
 			Expect(istioSystemKlmRoleBindings.Items).To(HaveLen(1))
 
-			Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-manager-role",
-				istioSystemKlmRoleBindings)).To(Equal(klmManagerRoleRules))
+			Expect(GetRoleBindingRolePolicyRules(ctx, controlPlaneClient, "klm-manager-role-istio-namespace",
+				"istio-system",
+				istioSystemKlmRoleBindings)).To(Equal(istioNamespaceRoleRules))
 
-			By("And KLM Service Account has the correct RoleBindings in kyma-system namespaces")
+			By("And KLM Service Account has the correct RoleBindings in kyma-system namespace")
+			remoteNamespaceRoleRules := []apirbacv1.PolicyRule{
+				{
+					APIGroups: []string{"operator.kyma-project.io"},
+					Resources: []string{"kymas"},
+					Verbs:     []string{"list", "watch", "delete", "get", "create", "patch", "update"},
+				},
+				{
+					APIGroups: []string{"operator.kyma-project.io"},
+					Resources: []string{"kymas/finalizers"},
+					Verbs:     []string{"update"},
+				},
+				{
+					APIGroups: []string{"operator.kyma-project.io"},
+					Resources: []string{"kymas/status"},
+					Verbs:     []string{"get", "patch", "update", "watch"},
+				},
+				{
+					APIGroups: []string{"operator.kyma-project.io"},
+					Resources: []string{"moduletemplates"},
+					Verbs:     []string{"list", "watch", "delete"},
+				},
+			}
 			kymaSystemKlmRoleBindings, err := ListKlmRoleBindings(controlPlaneClient, ctx, "klm-controller-manager",
 				"kyma-system")
 			Expect(err).ToNot(HaveOccurred())
 			Expect(kymaSystemKlmRoleBindings.Items).To(HaveLen(2))
 
-			Expect(GetRoleBindingwithClusterRolePolicyRules(ctx, controlPlaneClient, "klm-manager-role",
-				kymaSystemKlmRoleBindings)).To(Equal(klmManagerRoleRules))
+			Expect(GetRoleBindingRolePolicyRules(ctx, controlPlaneClient,
+				"klm-manager-role-remote-namespace", "kyma-system",
+				kymaSystemKlmRoleBindings)).To(Equal(remoteNamespaceRoleRules))
 
 			metricsReaderRoleRules := []apirbacv1.PolicyRule{
 				{