Update role and clusterRole permissions

chiragkyal · chiragkyal · commit 3f502a348932 · 2025-08-20T19:05:47.000+05:30
Signed-off-by: chiragkyal &lt;ckyal@redhat.com&gt;

Remove resourceNames from role and rolebinding

Signed-off-by: chiragkyal &lt;ckyal@redhat.com&gt;
diff --git a/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml b/bundle/manifests/external-secrets-operator.clusterserviceversion.yaml
@@ -204,7 +204,7 @@ metadata:
     categories: Security
     console.openshift.io/disable-operand-delete: "true"
     containerImage: openshift.io/external-secrets-operator:latest
-    createdAt: "2025-08-19T13:00:56Z"
+    createdAt: "2025-08-20T13:34:45Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
@@ -429,8 +429,6 @@ spec:
           resources:
           - customresourcedefinitions
           verbs:
-          - create
-          - delete
           - get
           - patch
           - update
@@ -586,46 +584,11 @@ spec:
           - get
           - patch
           - update
-        - apiGroups:
-          - rbac.authorization.k8s.io
-          resourceNames:
-          - external-secrets-cert-controller
-          - external-secrets-controller
-          resources:
-          - clusterrolebindings
-          verbs:
-          - create
-          - delete
-          - get
-          - patch
-          - update
         - apiGroups:
           - rbac.authorization.k8s.io
           resources:
           - clusterrolebindings
           - clusterroles
-          verbs:
-          - list
-          - watch
-        - apiGroups:
-          - rbac.authorization.k8s.io
-          resourceNames:
-          - external-secrets-cert-controller
-          - external-secrets-controller
-          - external-secrets-edit
-          - external-secrets-servicebindings
-          - external-secrets-view
-          resources:
-          - clusterroles
-          verbs:
-          - create
-          - delete
-          - get
-          - patch
-          - update
-        - apiGroups:
-          - rbac.authorization.k8s.io
-          resources:
           - rolebindings
           - roles
           verbs:
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -91,8 +91,6 @@ rules:
   resources:
   - customresourcedefinitions
   verbs:
-  - create
-  - delete
   - get
   - patch
   - update
@@ -248,46 +246,11 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resourceNames:
-  - external-secrets-cert-controller
-  - external-secrets-controller
-  resources:
-  - clusterrolebindings
-  verbs:
-  - create
-  - delete
-  - get
-  - patch
-  - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
   - clusterrolebindings
   - clusterroles
-  verbs:
-  - list
-  - watch
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resourceNames:
-  - external-secrets-cert-controller
-  - external-secrets-controller
-  - external-secrets-edit
-  - external-secrets-servicebindings
-  - external-secrets-view
-  resources:
-  - clusterroles
-  verbs:
-  - create
-  - delete
-  - get
-  - patch
-  - update
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
   - rolebindings
   - roles
   verbs:
diff --git a/hack/validate-rbac-resourcenames.sh b/hack/validate-rbac-resourcenames.sh
@@ -109,14 +109,6 @@ validate_deployments() {
     validate_resource_type "Deployments" "deployments" "Deployment" "extract_asset_names"
 }
 
-validate_clusterroles() {
-    validate_resource_type "ClusterRoles" "clusterroles" "ClusterRole" "extract_asset_names"
-}
-
-validate_clusterrolebindings() {
-    validate_resource_type "ClusterRoleBindings" "clusterrolebindings" "ClusterRoleBinding" "extract_asset_names"
-}
-
 validate_webhooks() {
     validate_resource_type "ValidatingWebhookConfigurations" "validatingwebhookconfigurations" "ValidatingWebhookConfiguration" "extract_asset_names"
 }
@@ -125,6 +117,14 @@ validate_crds() {
     validate_resource_type "CustomResourceDefinitions" "customresourcedefinitions" "" "extract_crd_names"
 }
 
+validate_roles() {
+    validate_resource_type "Roles" "roles" "Role" "extract_asset_names"
+}
+
+validate_rolebindings() {
+    validate_resource_type "RoleBindings" "rolebindings" "RoleBinding" "extract_asset_names"
+}
+
 main() {
     local exit_code=0
     
@@ -133,14 +133,14 @@ main() {
     
     validate_deployments || exit_code=1
     echo
-    validate_clusterroles || exit_code=1
-    echo
-    validate_clusterrolebindings || exit_code=1
-    echo
     validate_webhooks || exit_code=1
     echo
     validate_crds || exit_code=1
     echo
+    validate_roles || exit_code=1
+    echo
+    validate_rolebindings || exit_code=1
+    echo
     
     if [[ $exit_code -eq 0 ]]; then
         echo "All RBAC resourceNames validations passed!"
diff --git a/pkg/controller/external_secrets/controller.go b/pkg/controller/external_secrets/controller.go
@@ -96,11 +96,7 @@ type Reconciler struct {
 // +kubebuilder:rbac:groups=operator.openshift.io,resources=externalsecrets/finalizers,verbs=update
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch
 
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=list;watch
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;create;update;patch;delete,resourceNames=external-secrets-controller;external-secrets-cert-controller;external-secrets-edit;external-secrets-view;external-secrets-servicebindings
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=list;watch
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;create;update;patch;delete,resourceNames=external-secrets-controller;external-secrets-cert-controller
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings;clusterroles;clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=list;watch
 // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=get;create;update;patch,resourceNames=externalsecret-validate;secretstore-validate
 // +kubebuilder:rbac:groups="",resources=events;secrets;services;serviceaccounts,verbs=get;list;watch;create;update;delete;patch
@@ -113,7 +109,7 @@ type Reconciler struct {
 // +kubebuilder:rbac:groups="",resources=serviceaccounts/token,verbs=create
 // +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=list;watch
-// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;create;update;patch;delete,resourceNames=externalsecrets.external-secrets.io;secretstores.external-secrets.io;clustersecretstores.external-secrets.io;clusterexternalsecrets.external-secrets.io;pushsecrets.external-secrets.io;clusterpushsecrets.external-secrets.io;acraccesstokens.generators.external-secrets.io;clustergenerators.generators.external-secrets.io;ecrauthorizationtokens.generators.external-secrets.io;gcraccesstokens.generators.external-secrets.io;generatorstates.generators.external-secrets.io;githubaccesstokens.generators.external-secrets.io;grafanas.generators.external-secrets.io;mfas.generators.external-secrets.io;passwords.generators.external-secrets.io;quayaccesstokens.generators.external-secrets.io;sshkeys.generators.external-secrets.io;stssessiontokens.generators.external-secrets.io;uuids.generators.external-secrets.io;vaultdynamicsecrets.generators.external-secrets.io;webhooks.generators.external-secrets.io;externalsecrets.operator.openshift.io;externalsecretsmanagers.operator.openshift.io
+// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;update;patch,resourceNames=externalsecrets.external-secrets.io;secretstores.external-secrets.io;clustersecretstores.external-secrets.io;clusterexternalsecrets.external-secrets.io;pushsecrets.external-secrets.io;clusterpushsecrets.external-secrets.io;acraccesstokens.generators.external-secrets.io;clustergenerators.generators.external-secrets.io;ecrauthorizationtokens.generators.external-secrets.io;gcraccesstokens.generators.external-secrets.io;generatorstates.generators.external-secrets.io;githubaccesstokens.generators.external-secrets.io;grafanas.generators.external-secrets.io;mfas.generators.external-secrets.io;passwords.generators.external-secrets.io;quayaccesstokens.generators.external-secrets.io;sshkeys.generators.external-secrets.io;stssessiontokens.generators.external-secrets.io;uuids.generators.external-secrets.io;vaultdynamicsecrets.generators.external-secrets.io;webhooks.generators.external-secrets.io;externalsecrets.operator.openshift.io;externalsecretsmanagers.operator.openshift.io
 // +kubebuilder:rbac:groups=external-secrets.io,resources=clusterexternalsecrets;clustersecretstores;clusterpushsecrets;externalsecrets;secretstores;pushsecrets,verbs=get;list;watch;create;update;patch;delete;deletecollection
 // +kubebuilder:rbac:groups=external-secrets.io,resources=clusterexternalsecrets/finalizers;clustersecretstores/finalizers;externalsecrets/finalizers;pushsecrets/finalizers;secretstores/finalizers;clusterpushsecrets/finalizers,verbs=get;update;patch
 // +kubebuilder:rbac:groups=external-secrets.io,resources=clusterexternalsecrets/status;clustersecretstores/status;externalsecrets/status;pushsecrets/status;secretstores/status;clusterpushsecrets/status,verbs=get;update;patch
