Restrict secrets RBAC to namespace-scoped Role

Author: ChughShilpa

manifests/base/kustomization.yaml

@@ -5,6 +5,8 @@ resources:
   - ./rbac/cluster-role-binding.yaml
   - ./rbac/role.yaml
   - ./rbac/service-account.yaml
+  - ./rbac/webhook-secret-role.yaml
+  - ./rbac/webhook-secret-role-binding.yaml
   - ./webhook
   - service.yaml
   - deployment.yaml

manifests/base/rbac/role.yaml

@@ -43,15 +43,6 @@ rules:
   - pods/exec
   verbs:
   - create
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - update
-  - watch
 - apiGroups:
   - ""
   resources:

manifests/base/rbac/webhook-secret-role-binding.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: training-operator
+  name: training-operator-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: training-operator-webhook
+subjects:
+- kind: ServiceAccount
+  name: training-operator

manifests/base/rbac/webhook-secret-role.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: training-operator
+  name: training-operator-webhook
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - update
+  - watch

pkg/cert/cert.go

@@ -38,7 +38,8 @@ type Config struct {
 	WebhookConfigurationName string
 }
 
-//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;update
+// Note: Secrets access is handled via a namespace-scoped Role (not ClusterRole) to limit
+// permissions to the operator's own namespace only. See manifests/base/rbac/webhook-secret-role.yaml.
 //+kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;update
 
 // ManageCerts creates all certs for webhooks.