rbac: replace wildcard with a clear list of allowed verbs

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>

Author: zhangzujian

charts/kube-ovn-v2/templates/rbac/ovn-CR.yaml

@@ -53,7 +53,13 @@ rules:
       - qos-policies
       - qos-policies/status
     verbs:
-      - "*"
+      - create
+      - get
+      - list
+      - update
+      - patch
+      - watch
+      - delete
   - apiGroups:
       - ""
     resources:
@@ -169,8 +175,14 @@ rules:
       - coordination.k8s.io
     resources:
       - leases
+    resourceNames:
+      - kube-ovn-controller
     verbs:
-      - "*"
+      - create
+      - update
+      - patch
+      - get
+      - watch
   - apiGroups:
       - "kubevirt.io"
     resources:

charts/kube-ovn/templates/ovn-CR.yaml

@@ -53,7 +53,13 @@ rules:
       - qos-policies
       - qos-policies/status
     verbs:
-      - "*"
+      - create
+      - get
+      - list
+      - update
+      - patch
+      - watch
+      - delete
   - apiGroups:
       - ""
     resources:
@@ -169,8 +175,14 @@ rules:
       - coordination.k8s.io
     resources:
       - leases
+    resourceNames:
+      - kube-ovn-controller
     verbs:
-      - "*"
+      - create
+      - update
+      - patch
+      - get
+      - watch
   - apiGroups:
       - "kubevirt.io"
     resources:

dist/images/install.sh

@@ -4097,7 +4097,13 @@ rules:
       - qos-policies
       - qos-policies/status
     verbs:
-      - "*"
+      - create
+      - get
+      - list
+      - update
+      - patch
+      - watch
+      - delete
   - apiGroups:
       - ""
     resources:
@@ -4213,8 +4219,14 @@ rules:
       - coordination.k8s.io
     resources:
       - leases
+    resourceNames:
+      - kube-ovn-controller
     verbs:
-      - "*"
+      - create
+      - update
+      - patch
+      - get
+      - watch
   - apiGroups:
       - "kubevirt.io"
     resources: