From fcbf8b57159be121a7a0ebff41eaae4d3b8d31f8 Mon Sep 17 00:00:00 2001
From: "Christian M. Adams" <chadams@redhat.com>
Date: Tue, 14 Sep 2021 00:32:28 -0400
Subject: [PATCH] Reduce awx-operator service account permissions

---
 ansible/templates/role.yml.j2 | 28 +++++++++++++++++++++++++---
 deploy/awx-operator.yaml      | 28 +++++++++++++++++++++++++---
 2 files changed, 50 insertions(+), 6 deletions(-)

diff --git a/ansible/templates/role.yml.j2 b/ansible/templates/role.yml.j2
index 391ec61b..60c12b0d 100644
--- a/ansible/templates/role.yml.j2
+++ b/ansible/templates/role.yml.j2
@@ -11,7 +11,13 @@ rules:
       - routes
       - routes/custom-host
     verbs:
-      - '*'
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
   - apiGroups:
       - ""
       - "rbac.authorization.k8s.io"
@@ -28,7 +34,13 @@ rules:
       - roles
       - rolebindings
     verbs:
-      - '*'
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
   - apiGroups:
       - apps
       - networking.k8s.io
@@ -39,7 +51,13 @@ rules:
       - statefulsets
       - ingresses
     verbs:
-      - '*'
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
   - apiGroups:
       - monitoring.coreos.com
     resources:
@@ -66,6 +84,8 @@ rules:
       - ""
     resources:
       - pods/exec
+      - pods/attach
+      - pods/log  # log & attach rules needed to be able to grant them to AWX service account
     verbs:
       - create
       - get
@@ -75,6 +95,8 @@ rules:
       - replicasets
     verbs:
       - get
+    verbs:
+      - create
   - apiGroups:
       - awx.ansible.com
     resources:
diff --git a/deploy/awx-operator.yaml b/deploy/awx-operator.yaml
index 4fc65b80..286a537f 100644
--- a/deploy/awx-operator.yaml
+++ b/deploy/awx-operator.yaml
@@ -621,7 +621,13 @@ rules:
       - routes
       - routes/custom-host
     verbs:
-      - '*'
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
   - apiGroups:
       - ""
       - "rbac.authorization.k8s.io"
@@ -638,7 +644,13 @@ rules:
       - roles
       - rolebindings
     verbs:
-      - '*'
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
   - apiGroups:
       - apps
       - networking.k8s.io
@@ -649,7 +661,13 @@ rules:
       - statefulsets
       - ingresses
     verbs:
-      - '*'
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
   - apiGroups:
       - monitoring.coreos.com
     resources:
@@ -676,6 +694,8 @@ rules:
       - ""
     resources:
       - pods/exec
+      - pods/attach
+      - pods/log  # log & attach rules needed to be able to grant them to AWX service account
     verbs:
       - create
       - get
@@ -685,6 +705,8 @@ rules:
       - replicasets
     verbs:
       - get
+    verbs:
+      - create
   - apiGroups:
       - awx.ansible.com
     resources: