Least Privilege on RBAC Permissions #72
Description
Please describe your use case / problem.
A review of the RBAC permissions given to the edge-stack pods seems overly permissive. Here are some examples:
https://github.com/datawire/edge-stack/blob/main/charts/edge-stack/templates/rbac.yaml#L27-L29
Does this actually need to read every secret in every namespace?
Similarly, its allowed to delete any CRD.
rules:
- apiGroups: [ "apiextensions.k8s.io" ]
resources: [ "customresourcedefinitions" ]
verbs: ["get", "list", "watch", "delete"]
Describe the solution you'd like
At minimum, it would be nice to have an explanation of what's going on that seems to require these permissions. Better would be to be a bit more verbose about what secrets, CRDs, etc that actually need to be managed.
Describe alternatives you've considered
Disabling unsavory permissions until I've had a chance to review the code and/or see errors in the logs.
Additional context
n/a