From 629feac98f275f01e6cdbfa2ed350cb6ef1f4a20 Mon Sep 17 00:00:00 2001
From: Felix Kunde <felix-kunde@gmx.de>
Date: Mon, 16 Dec 2019 17:07:36 +0100
Subject: [PATCH] Remove bind verb and explain privileges (#765)

Closes #256
---
 manifests/operator-service-account-rbac.yaml | 28 +++++++++++++-------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/manifests/operator-service-account-rbac.yaml b/manifests/operator-service-account-rbac.yaml
index e95fe320b..a37abe476 100644
--- a/manifests/operator-service-account-rbac.yaml
+++ b/manifests/operator-service-account-rbac.yaml
@@ -10,6 +10,7 @@ kind: ClusterRole
 metadata:
   name: zalando-postgres-operator
 rules:
+# all verbs allowed for custom operator resources
 - apiGroups:
   - acid.zalan.do
   resources:
@@ -18,6 +19,7 @@ rules:
   - operatorconfigurations
   verbs:
   - "*"
+# to create or get/update CRDs when starting up
 - apiGroups:
   - apiextensions.k8s.io
   resources:
@@ -27,12 +29,14 @@ rules:
   - get
   - patch
   - update
+# to read configuration from ConfigMaps
 - apiGroups:
   - ""
   resources:
   - configmaps
   verbs:
   - get
+# to manage endpoints which are also used by Patroni
 - apiGroups:
   - ""
   resources:
@@ -45,6 +49,7 @@ rules:
   - list
   - patch
   - watch  # needed if zalando-postgres-operator account is used for pods as well
+# to CRUD secrets for database access
 - apiGroups:
   - ""
   resources:
@@ -54,6 +59,7 @@ rules:
   - update
   - delete
   - get
+# to check nodes for node readiness label
 - apiGroups:
   - ""
   resources:
@@ -62,6 +68,7 @@ rules:
   - get
   - list
   - watch
+# to read or delete existing PVCs. Creation via StatefulSet
 - apiGroups:
   - ""
   resources:
@@ -70,6 +77,7 @@ rules:
   - delete
   - get
   - list
+ # to read existing PVs. Creation should be done via dynamic provisioning
 - apiGroups:
   - ""
   resources:
@@ -78,6 +86,7 @@ rules:
   - get
   - list
   - update  # only for resizing AWS volumes
+# to watch Spilo pods and do rolling updates. Creation via StatefulSet
 - apiGroups:
   - ""
   resources:
@@ -88,12 +97,14 @@ rules:
   - list
   - watch
   - patch
+# to resize the filesystem in Spilo pods when increasing volume size
 - apiGroups:
   - ""
   resources:
   - pods/exec
   verbs:
   - create
+# to CRUD services to point to Postgres cluster instances
 - apiGroups:
   - ""
   resources:
@@ -103,6 +114,7 @@ rules:
   - delete
   - get
   - patch
+# to CRUD the StatefulSet which controls the Postgres cluster instances
 - apiGroups:
   - apps
   resources:
@@ -113,12 +125,14 @@ rules:
   - get
   - list
   - patch
+# to get namespaces operator resources can run in
 - apiGroups:
   - ""
   resources:
   - namespaces
   verbs:
   - get
+# to define PDBs. Update happens via delete/create
 - apiGroups:
   - policy
   resources:
@@ -127,6 +141,7 @@ rules:
   - create
   - delete
   - get
+# to create ServiceAccounts in each namespace the operator watches
 - apiGroups:
   - ""
   resources:
@@ -134,6 +149,7 @@ rules:
   verbs:
   - get
   - create
+# to create role bindings to the operator service account
 - apiGroups:
   - "rbac.authorization.k8s.io"
   resources:
@@ -141,18 +157,11 @@ rules:
   verbs:
   - get
   - create
-- apiGroups:
-  - "rbac.authorization.k8s.io"
-  resources:
-  - clusterroles
-  verbs:
-  - bind
-  resourceNames:
-  - zalando-postgres-operator
+# to CRUD cron jobs for logical backups
 - apiGroups:
   - batch
   resources:
-  - cronjobs  # enables logical backups
+  - cronjobs
   verbs:
   - create
   - delete
@@ -160,6 +169,7 @@ rules:
   - list
   - patch
   - update
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding