From 40bafb711402e56058215ab136071ece7f58a159 Mon Sep 17 00:00:00 2001
From: Kevin Cormier <kcormier@redhat.com>
Date: Fri, 29 Dec 2023 12:29:19 -0500
Subject: [PATCH] ACM-9150 Reduce permissions for console deployment (#557)

* Remove argoproj.io/appprojects and organize by API group

Signed-off-by: Kevin Cormier <kcormier@redhat.com>

* Run "go generate"

Signed-off-by: Kevin Cormier <kcormier@redhat.com>

* Update role.yaml

Signed-off-by: Kevin Cormier <kcormier@redhat.com>

---------

Signed-off-by: Kevin Cormier <kcormier@redhat.com>
---
 config/rbac/role.yaml                         | 49 ++++++++++++-------
 .../templates/console-clusterrole.yaml        | 36 ++++++++++----
 pkg/templates/rbac_gen.go                     |  5 +-
 3 files changed, 63 insertions(+), 27 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 7a8601d58..492c188a0 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -888,25 +888,8 @@ rules:
   - watch
 - apiGroups:
   - app.k8s.io
-  - apps.open-cluster-management.io
-  - argoproj.io
-  - policy.open-cluster-management.io
   resources:
   - applications
-  - applicationsets
-  - appprojects
-  - argocds
-  - channels
-  - gitopsclusters
-  - helmreleases
-  - multiclusterapplicationsetreports
-  - placementbindings
-  - placementrules
-  - policies
-  - policyautomations
-  - policysets
-  - subscriptionreports
-  - subscriptions
   verbs:
   - list
   - watch
@@ -994,6 +977,19 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - apps.open-cluster-management.io
+  resources:
+  - channels
+  - gitopsclusters
+  - helmreleases
+  - multiclusterapplicationsetreports
+  - placementrules
+  - subscriptionreports
+  - subscriptions
+  verbs:
+  - list
+  - watch
 - apiGroups:
   - apps.open-cluster-management.io
   resources:
@@ -1013,6 +1009,15 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - applicationsets
+  - argocds
+  verbs:
+  - list
+  - watch
 - apiGroups:
   - authentication.k8s.io
   resources:
@@ -2001,6 +2006,16 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - policy.open-cluster-management.io
+  resources:
+  - placementbindings
+  - policies
+  - policyautomations
+  - policysets
+  verbs:
+  - list
+  - watch
 - apiGroups:
   - proxy.open-cluster-management.io
   resources:
diff --git a/pkg/templates/charts/toggle/console-mce/templates/console-clusterrole.yaml b/pkg/templates/charts/toggle/console-mce/templates/console-clusterrole.yaml
index 8a67b7ba5..d79335759 100644
--- a/pkg/templates/charts/toggle/console-mce/templates/console-clusterrole.yaml
+++ b/pkg/templates/charts/toggle/console-mce/templates/console-clusterrole.yaml
@@ -180,26 +180,44 @@ rules:
   - provisionings
 
 - apiGroups:
-  - policy.open-cluster-management.io
   - app.k8s.io
-  - apps.open-cluster-management.io
-  - argoproj.io
   resources:
   - applications
-  - applicationsets
-  - appprojects
-  - argocds
+  verbs:
+  - list
+  - watch
+
+- apiGroups:
+  - apps.open-cluster-management.io
+  resources:
   - channels
   - gitopsclusters
   - helmreleases
   - placementrules
+  - subscriptions
+  - subscriptionreports
+  - multiclusterapplicationsetreports
+  verbs:
+  - list
+  - watch
+
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - applicationsets
+  - argocds
+  verbs:
+  - list
+  - watch
+
+- apiGroups:
+  - policy.open-cluster-management.io
+  resources:
   - placementbindings
   - policies
   - policyautomations
   - policysets
-  - subscriptions
-  - subscriptionreports
-  - multiclusterapplicationsetreports
   verbs:
   - list
   - watch
diff --git a/pkg/templates/rbac_gen.go b/pkg/templates/rbac_gen.go
index 755dedaf1..6767d70db 100644
--- a/pkg/templates/rbac_gen.go
+++ b/pkg/templates/rbac_gen.go
@@ -123,6 +123,7 @@ package main
 //+kubebuilder:rbac:groups=apiregistration.k8s.io,resources=apiservices,verbs=create;delete;get;list;patch;update;watch
 //+kubebuilder:rbac:groups=apiregistration.k8s.io,resources=apiservices,verbs=create;get;list;update;watch;patch;delete
 //+kubebuilder:rbac:groups=apiregistration.k8s.io,resources=apiservices;apiservices/finalizers,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=app.k8s.io,resources=applications,verbs=list;watch
 //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=create;delete;get;list;patch;update;watch
 //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=create;get;list;update;watch;patch;delete
 //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch
@@ -134,8 +135,10 @@ package main
 //+kubebuilder:rbac:groups=apps,resources=replicasets,verbs=get
 //+kubebuilder:rbac:groups=apps,resources=replicasets;deployments,verbs=get;list;watch;create;update;patch
 //+kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=create;delete;get;list;patch;update;watch
+//+kubebuilder:rbac:groups=apps.open-cluster-management.io,resources=channels;gitopsclusters;helmreleases;placementrules;subscriptions;subscriptionreports;multiclusterapplicationsetreports,verbs=list;watch
 //+kubebuilder:rbac:groups=apps.open-cluster-management.io,resources=deployables;deployables/status,verbs=get;list;watch;update;patch
 //+kubebuilder:rbac:groups=apps.openshift.io,resources=deploymentconfigs,verbs=get;list;watch
+//+kubebuilder:rbac:groups=argoproj.io,resources=applications;applicationsets;argocds,verbs=list;watch
 //+kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenrequests;tokenreviews,verbs=create
 //+kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
 //+kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
@@ -284,7 +287,7 @@ package main
 //+kubebuilder:rbac:groups=operator.open-cluster-management.io,resources=multiclusterhubs,verbs=get;list;watch
 //+kubebuilder:rbac:groups=operators.coreos.com,resources=clusterserviceversions,verbs=get;list
 //+kubebuilder:rbac:groups=operators.coreos.com,resources=subscriptions,verbs=get;list;watch
-//+kubebuilder:rbac:groups=policy.open-cluster-management.io;app.k8s.io;apps.open-cluster-management.io;argoproj.io,resources=applications;applicationsets;appprojects;argocds;channels;gitopsclusters;helmreleases;placementrules;placementbindings;policies;policyautomations;policysets;subscriptions;subscriptionreports;multiclusterapplicationsetreports,verbs=list;watch
+//+kubebuilder:rbac:groups=policy.open-cluster-management.io,resources=placementbindings;policies;policyautomations;policysets,verbs=list;watch
 //+kubebuilder:rbac:groups=proxy.open-cluster-management.io,resources=clusterstatuses/aggregator,verbs=get;create
 //+kubebuilder:rbac:groups=proxy.open-cluster-management.io,resources=clusterstatuses/aggregator,verbs=get;create
 //+kubebuilder:rbac:groups=proxy.open-cluster-management.io,resources=managedproxyconfigurations;managedproxyconfigurations/status;managedproxyconfigurations/finalizers;managedproxyserviceresolvers;managedproxyserviceresolvers/status;managedproxyserviceresolvers/finalizers,verbs=*