[BUG] Build Controller Has Permission to Modify CRDs

[adambkaplan]

Is there an existing issue for this?

• I have searched the existing issues

Kubernetes Version

Kubernetes 1.30.0

Shipwright Version

v0.14.0

Current Behavior

In #1646, the build controller was granted permission to patch CustomResourceDefinitions. This presents a minor security risk due to the controller having excessive permissions (violates principle of least privilege).

Admins using the version migrator should create a dedicated service account and RBAC for this purpose.

Expected Behavior

The build controller should not have permission to modify CRDs.

Steps To Reproduce

1. Install Shipwright Builds v0.14.0.
2. Inspect the RBAC granted to the build controller's service account.

Anything else?

No response

[qu1queee]

@adambkaplan @SaschaSchwarze0 is this issue ready to be pick?

[SaschaSchwarze0]

@adambkaplan @SaschaSchwarze0 is this issue ready to be pick?

Imo yes. My suggestion to address this:

• revert the clusterrole changes that were made in Add script for storage version migartion of crds #1646
• add an additional cluster role with the necessary permissions together with a cluster role binding and service account, do NOT include those three artifacts in a release build when the large yaml is built
• apply those three in https://github.com/shipwright-io/build/blob/main/hack/storage-version-migration.sh before creating the job and delete them when the job is finished, use the new service account in the job.
• one could create the three resources even inline like the job itself