Remove un-required permissions for the manager-role of the new `AutoScalingRunnerSet` (#2260)

2023-02-07 12:37:09 -05:00 · 2023-02-07 12:37:09 -05:00 · facae69e0b
parent 8f62e35f6b
commit facae69e0b
6 changed files with 6 additions and 110 deletions
--- a/charts/actions-runner-controller-2/templates/manager_role.yaml
+++ b/charts/actions-runner-controller-2/templates/manager_role.yaml
@ -110,14 +110,6 @@ rules:
 - apiGroups:
  - ""
  resources:
-  - events
-  verbs:
-  - create
-  - patch
- apiGroups:
-  - ""
-  resources:
-  - namespaces
  - pods
  verbs:
  - create
@ -130,57 +122,9 @@ rules:
 - apiGroups:
  - ""
  resources:
-  - persistentvolumeclaims
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - namespaces/status
  - pods/status
  verbs:
  - get
- apiGroups:
-  - ""
-  resources:
-  - persistentvolumes
-  verbs:
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - pods/finalizers
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
  - ""
  resources:
@ -223,28 +167,4 @@ rules:
  - get
  - update
  - list
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - pods/exec
-  verbs:
-  - create
-  - get
- apiGroups:
-  - ""
-  resources:
-  - pods/log
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - "batch"
-  resources:
-  - jobs
-  verbs:
-  - get
-  - list
-  - create
-  - delete
+  - watch
--- a/charts/actions-runner-controller-2/tests/template_test.go
+++ b/charts/actions-runner-controller-2/tests/template_test.go
@ -162,7 +162,7 @@ func TestTemplate_CreateManagerRole(t *testing.T) {

 	assert.Empty(t, managerRole.Namespace, "ClusterRole should not have a namespace")
 	assert.Equal(t, "test-arc-actions-runner-controller-2-manager-role", managerRole.Name)
-	assert.Equal(t, 25, len(managerRole.Rules))
+	assert.Equal(t, 17, len(managerRole.Rules))
 }

 func TestTemplate_ManagerRoleBinding(t *testing.T) {
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@ -306,26 +306,6 @@ rules:
  verbs:
  - create
  - patch
- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  - pods
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - namespaces/status
-  - pods/status
-  verbs:
-  - get
 - apiGroups:
  - ""
  resources:
--- a/controllers/actions.github.com/autoscalingrunnerset_controller.go
+++ b/controllers/actions.github.com/autoscalingrunnerset_controller.go
@ -68,8 +68,6 @@ type AutoscalingRunnerSetReconciler struct {
 	resourceBuilder resourceBuilder
 }

-// +kubebuilder:rbac:groups=core,resources=namespaces;pods,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=namespaces/status;pods/status,verbs=get
 // +kubebuilder:rbac:groups=actions.github.com,resources=autoscalingrunnersets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=actions.github.com,resources=autoscalingrunnersets/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=actions.github.com,resources=autoscalingrunnersets/finalizers,verbs=update
--- a/controllers/actions.github.com/ephemeralrunner_controller.go
+++ b/controllers/actions.github.com/ephemeralrunner_controller.go
@ -59,12 +59,8 @@ type EphemeralRunnerReconciler struct {
 // +kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners/finalizers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;delete
-// +kubebuilder:rbac:groups=core,resources=pods/finalizers,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch
-// +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=create;delete;get
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=create;delete;get
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=create;delete;get
+// +kubebuilder:rbac:groups=core,resources=pods/status,verbs=get
+// +kubebuilder:rbac:groups=core,resources=secrets,verbs=create;get;list;watch;delete

 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
--- a/controllers/actions.github.com/ephemeralrunnerset_controller.go
+++ b/controllers/actions.github.com/ephemeralrunnerset_controller.go
@ -56,6 +56,8 @@ type EphemeralRunnerSetReconciler struct {

 //+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunnersets,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunnersets/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners/status,verbs=get

 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.