Merge pull request #4 from fabiante/feat/reduce-rbac-permissions

Remove finalizer rbac permissions

Author: fabiante

config/rbac/role.yaml

@@ -12,13 +12,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - configmaps/finalizers
-  - pods/finalizers
-  verbs:
-  - update
 - apiGroups:
   - ""
   resources:

internal/controller/configmap_controller.go

@@ -48,10 +48,8 @@ const (
 	configMapObjectName      = "podbouncer-config" // TODO: Make configurable
 )
 
-// TODO: Check if the permissions below are too broad. Maybe there are permissions this controller does not actually need.
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,resources=configmaps/status,verbs=get
-// +kubebuilder:rbac:groups=core,resources=configmaps/finalizers,verbs=update
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

internal/controller/pod_controller.go

@@ -41,10 +41,8 @@ type PodReconciler struct {
 
 const excludedNamespace = "kube-system"
 
-// TODO: Check if the permissions below are too broad. Maybe there are permissions this controller does not actually need.
 // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=pods/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=core,resources=pods/finalizers,verbs=update
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.