Reduce awx-operator service account permissions

2026-03-26 21:33:14 +00:00 · 2021-09-14 00:32:28 -04:00
parent 1165492185
commit fcbf8b5715
2 changed files with 50 additions and 6 deletions
--- a/ansible/templates/role.yml.j2
+++ b/ansible/templates/role.yml.j2
@@ -11,7 +11,13 @@ rules:
      - routes
      - routes/custom-host
    verbs:
-      - '*'
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
  - apiGroups:
      - ""
      - "rbac.authorization.k8s.io"
@@ -28,7 +34,13 @@ rules:
      - roles
      - rolebindings
    verbs:
-      - '*'
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
  - apiGroups:
      - apps
      - networking.k8s.io
@@ -39,7 +51,13 @@ rules:
      - statefulsets
      - ingresses
    verbs:
-      - '*'
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
  - apiGroups:
      - monitoring.coreos.com
    resources:
@@ -66,6 +84,8 @@ rules:
      - ""
    resources:
      - pods/exec
+      - pods/attach
+      - pods/log  # log & attach rules needed to be able to grant them to AWX service account
    verbs:
      - create
      - get
@@ -75,6 +95,8 @@ rules:
      - replicasets
    verbs:
      - get
+    verbs:
+      - create
  - apiGroups:
      - awx.ansible.com
    resources: