Skip to content

Commit 0ce9ce0

Browse files
pramodbindalpramodbindal
committed
Security Fix: Reduce permissions in tekton-scheduler-role and limit to tekton-operator service account only
1 parent c154af5 commit 0ce9ce0

2 files changed

Lines changed: 31 additions & 10 deletions

File tree

config/base/tekton_scheduler_role.yaml

Lines changed: 28 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -21,18 +21,41 @@ rules:
2121
- kueue.x-k8s.io
2222
resources:
2323
- resourceflavors
24-
- workloads
25-
- workloads/finalizers
26-
- workloads/status
2724
- workloadpriorityclasses
2825
verbs:
2926
- get
3027
- list
28+
- watch
29+
- apiGroups:
30+
- kueue.x-k8s.io
31+
resources:
32+
- workloadpriorityclasses
33+
verbs:
34+
- create
35+
36+
- apiGroups:
37+
- kueue.x-k8s.io
38+
resources:
39+
- workloads
40+
verbs:
3141
- create
32-
- update
3342
- delete
3443
- patch
35-
- watch
44+
- update
45+
- apiGroups:
46+
- kueue.x-k8s.io
47+
resources:
48+
- workloads/finalizers
49+
verbs:
50+
- update
51+
- apiGroups:
52+
- kueue.x-k8s.io
53+
resources:
54+
- workloads/status
55+
verbs:
56+
- get
57+
- patch
58+
- update
3659
- apiGroups:
3760
- scheduling.k8s.io
3861
resources:
@@ -49,8 +72,6 @@ rules:
4972
verbs:
5073
- get
5174
- create
52-
- update
53-
- list
5475
- nonResourceURLs:
5576
- /metrics
5677
verbs:

config/base/tekton_scheduler_role_binding.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,9 @@ apiVersion: rbac.authorization.k8s.io/v1
1717
metadata:
1818
name: tekton-scheduler-rolebinding
1919
subjects:
20-
- kind: Group
21-
apiGroup: rbac.authorization.k8s.io
22-
name: 'system:authenticated'
20+
- kind: ServiceAccount
21+
name: tekton-operator
22+
namespace: tekton-operator
2323
roleRef:
2424
apiGroup: rbac.authorization.k8s.io
2525
kind: ClusterRole

0 commit comments

Comments
 (0)