fix: Replace wildcards in RBAC objects with explicit resources and verbs

Signed-off-by: Mikhail Zholobov <legal90@gmail.com>
kedacore · Sep 3, 2024 · 28c6889 · 28c6889
1 parent 3ab87fb
commit 28c6889
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 11 deletions.
diff --git a/keda/templates/manager/clusterrole.yaml b/keda/templates/manager/clusterrole.yaml
@@ -29,11 +29,12 @@ rules:
   resources:
   - events
   verbs:
-  - '*'
+  - create
+  - patch
 {{- if not .Values.permissions.operator.restrict.secret }}
 - apiGroups:
   - ""
-  resources:    
+  resources:
   - secrets
   verbs:
   - list
@@ -66,7 +67,7 @@ rules:
   - {{ .kind | quote }}
   verbs:
   - get
-  {{- end }}   
+  {{- end }}
 {{- end }}
 - apiGroups:
   - apps
@@ -93,13 +94,25 @@ rules:
   resources:
   - horizontalpodautoscalers
   verbs:
-  - '*'
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - batch
   resources:
   - jobs
   verbs:
-  - '*'
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - eventing.keda.sh
   resources:
@@ -108,7 +121,13 @@ rules:
   - clustercloudeventsources
   - clustercloudeventsources/status
   verbs:
-  - '*'
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - keda.sh
   resources:
@@ -121,7 +140,13 @@ rules:
   - triggerauthentications
   - triggerauthentications/status
   verbs:
-  - '*'
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 {{- if .Values.rbac.aggregateToDefaultRoles }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/keda/templates/manager/minimal-rbac.yaml b/keda/templates/manager/minimal-rbac.yaml
@@ -17,7 +17,13 @@ rules:
   resources:
   - leases
   verbs:
-  - '*'
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 {{- if and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled) }}
 - apiGroups:
   - ""
@@ -79,7 +85,13 @@ rules:
   - clustertriggerauthentications
   - clustertriggerauthentications/status
   verbs:
-  - '*'
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 {{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}
 - apiGroups:
   - admissionregistration.k8s.io

diff --git a/keda/templates/metrics-server/clusterrole.yaml b/keda/templates/metrics-server/clusterrole.yaml
@@ -14,7 +14,7 @@ rules:
 - apiGroups:
   - external.metrics.k8s.io
   resources:
-  - '*'
+  - 'externalmetrics'
   verbs:
-  - '*'
+  - 'get'
 {{- end -}}