From ba3dfc418a7d418eee8f38e1e530e61f5958f900 Mon Sep 17 00:00:00 2001 From: Tariq Ibrahim Date: Mon, 10 Jun 2024 10:23:16 -0700 Subject: [PATCH] [OCP] restrict RBAC perms of gpu-operator in OLM bundle Signed-off-by: Tariq Ibrahim --- ...rator-certified.clusterserviceversion.yaml | 144 ++++-------------- .../gpu-operator/templates/clusterrole.yaml | 2 - 2 files changed, 29 insertions(+), 117 deletions(-) diff --git a/bundle/manifests/gpu-operator-certified.clusterserviceversion.yaml b/bundle/manifests/gpu-operator-certified.clusterserviceversion.yaml index 23af97a20..959a32745 100644 --- a/bundle/manifests/gpu-operator-certified.clusterserviceversion.yaml +++ b/bundle/manifests/gpu-operator-certified.clusterserviceversion.yaml @@ -587,7 +587,12 @@ spec: - apiGroups: - nvidia.com resources: - - '*' + - clusterpolicies + - clusterpolicies/finalizers + - clusterpolicies/status + - nvidiadrivers + - nvidiadrivers/finalizers + - nvidiadrivers/status verbs: - create - delete @@ -610,7 +615,14 @@ spec: resources: - securitycontextconstraints verbs: - - '*' + - use + - create + - get + - list + - watch + - patch + - update + - delete - apiGroups: - security.openshift.io resources: @@ -627,7 +639,13 @@ spec: - roles - rolebindings verbs: - - '*' + - create + - get + - list + - watch + - update + - patch + - delete - apiGroups: - "" resources: @@ -656,8 +674,6 @@ spec: resources: - deployments - daemonsets - - replicasets - - statefulsets verbs: - create - delete @@ -690,7 +706,13 @@ spec: resources: - leases verbs: - - '*' + - create + - get + - list + - watch + - update + - patch + - delete - apiGroups: - monitoring.coreos.com resources: @@ -716,121 +738,13 @@ spec: resources: - customresourcedefinitions verbs: - - get - - list - - watch - permissions: - - serviceAccountName: gpu-operator - rules: - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - '*' - - apiGroups: - - "" - resources: - - pods - - pods/eviction - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - verbs: - create - - delete - get - list - - patch - - update - watch - - apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - create - - delete - - get - - list - - patch - update - - watch - - apiGroups: - - apps - resources: - - controllerrevisions - verbs: - - get - - list - - watch - - apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - - prometheusrules - verbs: - - get - - create - - list - - update - - watch - - delete - - apiGroups: - - apps - resourceNames: - - gpu-operator - resources: - - deployments/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - apps - resources: - - replicasets - - deployments - verbs: - - get - - apiGroups: - - nvidia.com - resources: - - '*' - verbs: - - create - - delete - - get - - list - patch - - update - - watch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - '*' - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch + - delete deployments: - name: gpu-operator spec: diff --git a/deployments/gpu-operator/templates/clusterrole.yaml b/deployments/gpu-operator/templates/clusterrole.yaml index 8428ada50..ab5168ad8 100644 --- a/deployments/gpu-operator/templates/clusterrole.yaml +++ b/deployments/gpu-operator/templates/clusterrole.yaml @@ -147,10 +147,8 @@ rules: - list - watch - apiGroups: - - "" - coordination.k8s.io resources: - - configmaps - leases verbs: - get