restrict permissions for clusterrole and clusterrolebinding to specific resources

lokielse · lokielse · commit 7d21ad238b54 · 2025-11-17T15:53:24.000+08:00
Signed-off-by: lokielse &lt;lokielse@gmail.com&gt;
diff --git a/deployments/gpu-operator/templates/clusterrole.yaml b/deployments/gpu-operator/templates/clusterrole.yaml
@@ -43,12 +43,33 @@ rules:
   - clusterrolebindings
   verbs:
   - create
-  - get
   - list
   - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  verbs:
+  - get
   - update
   - patch
   - delete
+  resourceNames:
+  - nvidia-cc-manager
+  - nvidia-device-plugin
+  - nvidia-device-plugin-mps-control-daemon
+  - nvidia-driver
+  - nvidia-gpu-feature-discovery
+  - nvidia-kata-manager
+  - nvidia-mig-manager
+  - nvidia-node-status-exporter
+  - nvidia-operator-validator
+  - nvidia-sandbox-device-plugin
+  - nvidia-sandbox-validator
+  - nvidia-vfio-manager
+  - nvidia-vgpu-device-manager
+  - nvidia-vgpu-manager
 - apiGroups:
   - ""
   resources:
