fix(rbac): remove unused permissions from ClusterRole (#1036)

cryostatio · Jan 31, 2025 · 81f4ff6 · 81f4ff6
1 parent 53d0618
commit 81f4ff6
Show file tree

Hide file tree

Showing 5 changed files with 1 addition and 45 deletions.
diff --git a/bundle/manifests/cryostat-operator-cryostat_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/manifests/cryostat-operator-cryostat_rbac.authorization.k8s.io_v1_clusterrole.yaml
@@ -16,13 +16,5 @@ rules:
   - authorization.k8s.io
   resources:
   - subjectaccessreviews
-  - selfsubjectaccessreviews
   verbs:
   - create
-- apiGroups:
-  - oauth.openshift.io
-  resources:
-  - oauthaccesstokens
-  verbs:
-  - list
-  - delete
diff --git a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
@@ -24,7 +24,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: Monitoring, Developer Tools
     containerImage: quay.io/cryostat/cryostat-operator:4.0.0-dev
-    createdAt: "2025-01-28T00:29:47Z"
+    createdAt: "2025-01-31T15:55:35Z"
     description: JVM monitoring and profiling tool
     operatorframework.io/initialization-resource: |-
       {
@@ -994,12 +994,6 @@ spec:
                 - tokenreviews
               verbs:
                 - create
-            - apiGroups:
-                - authorization.k8s.io
-              resources:
-                - selfsubjectaccessreviews
-              verbs:
-                - create
             - apiGroups:
                 - authorization.k8s.io
               resources:
@@ -1052,13 +1046,6 @@ spec:
                 - networkpolicies
               verbs:
                 - '*'
-            - apiGroups:
-                - oauth.openshift.io
-              resources:
-                - oauthaccesstokens
-              verbs:
-                - delete
-                - list
             - apiGroups:
                 - operator.cryostat.io
               resources:

diff --git a/config/rbac/cryostat_role.yaml b/config/rbac/cryostat_role.yaml
@@ -15,13 +15,5 @@ rules:
   - authorization.k8s.io
   resources:
   - subjectaccessreviews
-  - selfsubjectaccessreviews
   verbs:
   - create
-- apiGroups:
-  - oauth.openshift.io
-  resources:
-  - oauthaccesstokens
-  verbs:
-  - list
-  - delete
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -63,12 +63,6 @@ rules:
   - tokenreviews
   verbs:
   - create
-- apiGroups:
-  - authorization.k8s.io
-  resources:
-  - selfsubjectaccessreviews
-  verbs:
-  - create
 - apiGroups:
   - authorization.k8s.io
   resources:
@@ -121,13 +115,6 @@ rules:
   - networkpolicies
   verbs:
   - '*'
-- apiGroups:
-  - oauth.openshift.io
-  resources:
-  - oauthaccesstokens
-  verbs:
-  - delete
-  - list
 - apiGroups:
   - operator.cryostat.io
   resources:

diff --git a/internal/controllers/cryostat_controller.go b/internal/controllers/cryostat_controller.go
@@ -54,9 +54,7 @@ func NewCryostatReconciler(config *ReconcilerConfig) (*CryostatReconciler, error
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=create;get;list;update;watch;delete
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=create;get;list;update;watch;delete
 // +kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
-// +kubebuilder:rbac:groups=authorization.k8s.io,resources=selfsubjectaccessreviews,verbs=create
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
-// +kubebuilder:rbac:groups=oauth.openshift.io,resources=oauthaccesstokens,verbs=list;delete
 // +kubebuilder:rbac:groups=config.openshift.io,resources=apiservers,verbs=get;list;update;watch
 // +kubebuilder:rbac:groups=route.openshift.io,resources=routes;routes/custom-host,verbs=*
 // +kubebuilder:rbac:groups=apps.openshift.io,resources=deploymentconfigs,verbs=get