fix: remove create/delete on roles/rolebindings per QA review
Removes privilege-escalation permissions from RBAC manifest per PRI-554 QA review. The rbac.authorization.k8s.io rule now grants only get/list/watch on rolebindings (needed for deploy script to verify existing bindings exist). Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Hugh Hackman [agent]
@@ -13,8 +13,8 @@ metadata:
|
|||||||
namespace: privilegedescalation-dev
|
namespace: privilegedescalation-dev
|
||||||
rules:
|
rules:
|
||||||
- apiGroups: ["rbac.authorization.k8s.io"]
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
||||||
resources: ["roles", "rolebindings"]
|
resources: ["rolebindings"]
|
||||||
verbs: ["get", "list", "watch", "create", "delete"]
|
verbs: ["get", "list", "watch"]
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["configmaps", "serviceaccounts", "events"]
|
resources: ["configmaps", "serviceaccounts", "events"]
|
||||||
verbs: ["get", "list", "create", "delete"]
|
verbs: ["get", "list", "create", "delete"]
|
||||||
@@ -40,4 +40,4 @@ subjects:
|
|||||||
roleRef:
|
roleRef:
|
||||||
kind: Role
|
kind: Role
|
||||||
name: e2e-ci-runner
|
name: e2e-ci-runner
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|||||||
Reference in New Issue
Block a user