rbac: replace wildcard with a clear list of allowed verbs (kubeovn#6233)

zhangzujian · zbb88888 · commit 0f99cb299673 · 2026-02-02T18:13:45.000+08:00
Signed-off-by: zhangzujian &lt;zhangzujian.7@gmail.com&gt;
diff --git a/charts/kube-ovn-v2/templates/rbac/ovn-CR.yaml b/charts/kube-ovn-v2/templates/rbac/ovn-CR.yaml
@@ -53,7 +53,13 @@ rules:
       - qos-policies
       - qos-policies/status
     verbs:
-      - "*"
+      - create
+      - get
+      - list
+      - update
+      - patch
+      - watch
+      - delete
   - apiGroups:
       - ""
     resources:
@@ -170,7 +176,11 @@ rules:
     resources:
       - leases
     verbs:
-      - "*"
+      - create
+      - update
+      - patch
+      - get
+      - watch
   - apiGroups:
       - "kubevirt.io"
     resources:
diff --git a/charts/kube-ovn/templates/ovn-CR.yaml b/charts/kube-ovn/templates/ovn-CR.yaml
@@ -53,7 +53,13 @@ rules:
       - qos-policies
       - qos-policies/status
     verbs:
-      - "*"
+      - create
+      - get
+      - list
+      - update
+      - patch
+      - watch
+      - delete
   - apiGroups:
       - ""
     resources:
@@ -170,7 +176,11 @@ rules:
     resources:
       - leases
     verbs:
-      - "*"
+      - create
+      - update
+      - patch
+      - get
+      - watch
   - apiGroups:
       - "kubevirt.io"
     resources:
diff --git a/dist/images/install.sh b/dist/images/install.sh
@@ -4077,7 +4077,13 @@ rules:
       - qos-policies
       - qos-policies/status
     verbs:
-      - "*"
+      - create
+      - get
+      - list
+      - update
+      - patch
+      - watch
+      - delete
   - apiGroups:
       - ""
     resources:
@@ -4194,7 +4200,11 @@ rules:
     resources:
       - leases
     verbs:
-      - "*"
+      - create
+      - update
+      - patch
+      - get
+      - watch
   - apiGroups:
       - "kubevirt.io"
     resources:
