Skip to content

Commit

Permalink
OCPBUGS-31353: Minimize wildcard privileges for CRDs and namespaces
Browse files Browse the repository at this point in the history 
- Restricted CRD permissions exclusively to Gateway API.
- Restricted namespace permissions exclusively to operand namespaces (routers and canary).
  • Loading branch information
@alebedev87
alebedev87 committed Nov 26, 2024
1 parent 8be1749 commit 023861b
Showing 1 changed file with 15 additions and 1 deletion.
16 changes: 15 additions & 1 deletion manifests/00-cluster-role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ rules:
- ""
resources:
- configmaps
- namespaces
- serviceaccounts
- endpoints
- services
Expand All @@ -25,6 +24,16 @@ rules:
verbs:
- "*"

- apiGroups:
- ""
resources:
- namespaces
resourceNames:
- openshift-ingress
- openshift-ingress-canary
verbs:
- "*"

- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -171,6 +180,11 @@ rules:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- gatewayclasses.gateway.networking.k8s.io
- gateways.gateway.networking.k8s.io
- httproutes.gateway.networking.k8s.io
- referencegrants.gateway.networking.k8s.io
verbs:
- '*'

Expand Down

0 comments on commit 023861b

Please sign in to comment.