Remove un-required permissions for the manager-role of the new `AutoScalingRunnerSet` (#2260)

2023-02-07 12:37:09 -05:00 · 2023-02-07 12:37:09 -05:00 · facae69e0b
parent 8f62e35f6b
commit facae69e0b
6 changed files with 6 additions and 110 deletions
--- a/charts/actions-runner-controller-2/templates/manager_role.yaml
+++ b/charts/actions-runner-controller-2/templates/manager_role.yaml
@ -110,14 +110,6 @@ rules:
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
 - apiGroups:
  - ""
  resources:
  - namespaces
  - pods
  verbs:
  - create
@ -130,57 +122,9 @@ rules:
 - apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - ""
  resources:
  - namespaces/status
  - pods/status
  verbs:
  - get
 - apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - ""
  resources:
  - pods/finalizers
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - ""
  resources:
@ -224,27 +168,3 @@ rules:
  - update
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create
  - get
 - apiGroups:
  - ""
  resources:
  - pods/log
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - "batch"
  resources:
  - jobs
  verbs:
  - get
  - list
  - create
  - delete
--- a/charts/actions-runner-controller-2/tests/template_test.go
+++ b/charts/actions-runner-controller-2/tests/template_test.go
@ -162,7 +162,7 @@ func TestTemplate_CreateManagerRole(t *testing.T) {
 	assert.Empty(t, managerRole.Namespace, "ClusterRole should not have a namespace")
 	assert.Equal(t, "test-arc-actions-runner-controller-2-manager-role", managerRole.Name)
-	assert.Equal(t, 25, len(managerRole.Rules))
+	assert.Equal(t, 17, len(managerRole.Rules))
 }
 func TestTemplate_ManagerRoleBinding(t *testing.T) {
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@ -306,26 +306,6 @@ rules:
  verbs:
  - create
  - patch
 - apiGroups:
  - ""
  resources:
  - namespaces
  - pods
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - ""
  resources:
  - namespaces/status
  - pods/status
  verbs:
  - get
 - apiGroups:
  - ""
  resources:
--- a/controllers/actions.github.com/autoscalingrunnerset_controller.go
+++ b/controllers/actions.github.com/autoscalingrunnerset_controller.go
@ -68,8 +68,6 @@ type AutoscalingRunnerSetReconciler struct {
 	resourceBuilder resourceBuilder
 }
 // +kubebuilder:rbac:groups=core,resources=namespaces;pods,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=namespaces/status;pods/status,verbs=get
 // +kubebuilder:rbac:groups=actions.github.com,resources=autoscalingrunnersets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=actions.github.com,resources=autoscalingrunnersets/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=actions.github.com,resources=autoscalingrunnersets/finalizers,verbs=update
--- a/controllers/actions.github.com/ephemeralrunner_controller.go
+++ b/controllers/actions.github.com/ephemeralrunner_controller.go
@ -59,12 +59,8 @@ type EphemeralRunnerReconciler struct {
 // +kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners/finalizers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;delete
+// +kubebuilder:rbac:groups=core,resources=pods/status,verbs=get
-// +kubebuilder:rbac:groups=core,resources=pods/finalizers,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=secrets,verbs=create;get;list;watch;delete
 // +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch
 // +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=create;delete;get
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles,verbs=create;delete;get
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=create;delete;get
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
--- a/controllers/actions.github.com/ephemeralrunnerset_controller.go
+++ b/controllers/actions.github.com/ephemeralrunnerset_controller.go
@ -56,6 +56,8 @@ type EphemeralRunnerSetReconciler struct {
 //+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunnersets,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunnersets/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=actions.github.com,resources=ephemeralrunners/status,verbs=get
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.