Skip to content

Commit c498c71

Browse files
lokielselokielse
authored
fix(operator): Restrict webhook and CRD permissions with resourceNames (#638)
1 parent c3d890f commit c498c71

File tree

2 files changed

+26
-7
lines changed

2 files changed

+26
-7
lines changed

deployments/kai-scheduler/templates/rbac/operator.yaml

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -43,24 +43,42 @@ rules:
4343
- validatingwebhookconfigurations
4444
verbs:
4545
- create
46-
- delete
4746
- get
4847
- list
48+
- watch
49+
- apiGroups:
50+
- admissionregistration.k8s.io
51+
resourceNames:
52+
- kai-podgroup-validation-v2alpha2
53+
- kai-queue-validation-v2
54+
- mutating-kai-admission
55+
- validating-kai-admission
56+
resources:
57+
- mutatingwebhookconfigurations
58+
- validatingwebhookconfigurations
59+
verbs:
60+
- delete
4961
- patch
5062
- update
51-
- watch
5263
- apiGroups:
5364
- apiextensions.k8s.io
5465
resources:
5566
- customresourcedefinitions
5667
verbs:
5768
- create
58-
- delete
5969
- get
6070
- list
71+
- watch
72+
- apiGroups:
73+
- apiextensions.k8s.io
74+
resourceNames:
75+
- queues.scheduling.run.ai
76+
resources:
77+
- customresourcedefinitions
78+
verbs:
79+
- delete
6180
- patch
6281
- update
63-
- watch
6482
- apiGroups:
6583
- apps
6684
resources:

pkg/operator/controller/config_controller.go

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -75,9 +75,10 @@ func (r *ConfigReconciler) SetOperands(ops []operands.Operand) {
7575
// +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets,verbs=get;list;watch;create;update;patch;delete
7676
// +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
7777
// +kubebuilder:rbac:groups="",resources=services;secrets;serviceaccounts;configmaps;persistentvolumeclaims;pods;endpoints,verbs=get;list;watch;create;update;patch;delete
78-
// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations;validatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete
79-
// +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch;create;update;patch;delete
80-
// +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch;create;update;patch;delete
78+
// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations;validatingwebhookconfigurations,resourceNames=kai-podgroup-validation-v2alpha2;kai-queue-validation-v2;mutating-kai-admission;validating-kai-admission,verbs=delete;update;patch
79+
// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations;validatingwebhookconfigurations,verbs=get;list;watch;create
80+
// +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,resourceNames=queues.scheduling.run.ai,verbs=delete;update;patch
81+
// +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch;create
8182
// +kubebuilder:rbac:groups="nvidia.com",resources=clusterpolicies,verbs=get;list;watch
8283
// +kubebuilder:rbac:groups="monitoring.coreos.com",resources=prometheuses;servicemonitors,verbs=get;list;watch;create;update;patch;delete
8384
// +kubebuilder:rbac:groups="scheduling.run.ai",resources=queues,verbs=get;list;watch

0 commit comments

Comments
 (0)