fix: remove create/delete on roles/rolebindings per QA review

Removes privilege-escalation permissions from RBAC manifest per PRI-554 QA review. The rbac.authorization.k8s.io rule now grants only get/list/watch on rolebindings (needed for deploy script to verify existing bindings exist). Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 00:35:38 +00:00
parent 97ef7788e2
commit c815b2fd44
1 changed files with 3 additions and 3 deletions
@@ -13,8 +13,8 @@ metadata:
  namespace: privilegedescalation-dev
 rules:
  - apiGroups: ["rbac.authorization.k8s.io"]
-    resources: ["roles", "rolebindings"]
-    verbs: ["get", "list", "watch", "create", "delete"]
+    resources: ["rolebindings"]
+    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["configmaps", "serviceaccounts", "events"]
    verbs: ["get", "list", "create", "delete"]
@@ -40,4 +40,4 @@ subjects:
 roleRef:
  kind: Role
  name: e2e-ci-runner
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io