fix: Use least privileges for CM role (#18)

Removing unnecessary permissions.
nutanix-cloud-native · Sep 4, 2024 · 069b742 · 069b742
1 parent 73f6785
commit 069b742
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 22 deletions.
diff --git a/charts/cluster-api-ipam-provider-nutanix/templates/role.yaml b/charts/cluster-api-ipam-provider-nutanix/templates/role.yaml
@@ -55,8 +55,9 @@ rules:
 - apiGroups:
   - ipam.cluster.x-k8s.io
   resources:
-  - ipaddressclaims/status
+  - ipaddressclaims/finalizers
   - ipaddresses/finalizers
+  - nutanixippools/finalizers
   verbs:
   - update
 - apiGroups:
@@ -85,24 +86,6 @@ rules:
   resources:
   - nutanixippools
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
-- apiGroups:
-  - ipam.cluster.x-k8s.io
-  resources:
-  - nutanixippools/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - ipam.cluster.x-k8s.io
-  resources:
-  - nutanixippools/status
-  verbs:
-  - get
-  - patch
-  - update
diff --git a/internal/controllers/ipaddressclaim.go b/internal/controllers/ipaddressclaim.go
@@ -203,13 +203,12 @@ func (i *NutanixProviderAdapter) ClaimHandlerFor(
 	}
 }
 
-// +kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=nutanixippools,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=nutanixippools/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=nutanixippools,verbs=get;list;watch
 // +kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=nutanixippools/finalizers,verbs=update
 // +kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=ipaddressclaims,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=ipaddresses,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=ipaddressclaims/status;ipaddresses/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=ipaddressclaims/status;ipaddresses/finalizers,verbs=update
+// +kubebuilder:rbac:groups=ipam.cluster.x-k8s.io,resources=ipaddressclaims/finalizers;ipaddresses/finalizers,verbs=update
 // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=secrets;configmaps,verbs=get;list;watch