From dff7dd7ec3c9b990408c1c0ce297fee0a17513be Mon Sep 17 00:00:00 2001
From: casey-coreweave <cabernathy@coreweave.com>
Date: Fri, 29 May 2026 10:57:51 -0700
Subject: [PATCH 1/2] fix(operator): Slim out default rbac SA Tokens and
 secrets access

---
 internal/controller/reconciler/rbac.go | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/internal/controller/reconciler/rbac.go b/internal/controller/reconciler/rbac.go
index 66dcd298..14ee51ef 100644
--- a/internal/controller/reconciler/rbac.go
+++ b/internal/controller/reconciler/rbac.go
@@ -36,7 +36,7 @@ func createOrUpdateServiceAccount(
 			},
 			Annotations: wandb.Spec.Wandb.ServiceAccount.Annotations,
 		},
-		AutomountServiceAccountToken: ptr.To(true),
+		AutomountServiceAccountToken: ptr.To(false),
 	}
 
 	if err := controllerutil.SetControllerReference(wandb, serviceAccount, client.Scheme()); err != nil {
@@ -87,15 +87,10 @@ func createOrUpdateRole(
 			},
 		},
 		Rules: []v4.PolicyRule{
-			{
-				APIGroups: []string{""},
-				Resources: []string{"secrets"},
-				Verbs:     []string{"get", "create", "update", "delete"},
-			},
 			{
 				APIGroups: []string{""},
 				Resources: []string{"namespaces"},
-				Verbs:     []string{"get", "list"},
+				Verbs:     []string{"get"},
 			},
 		},
 	}

From 67f73e41b3ec4dec3361c2b0495b05797e79c845 Mon Sep 17 00:00:00 2001
From: casey-coreweave <cabernathy@coreweave.com>
Date: Fri, 29 May 2026 11:08:39 -0700
Subject: [PATCH 2/2] fix(operator): Force authenticated for OIDC discovery
 ClusterRoleBinding

---
 internal/controller/reconciler/rbac.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/internal/controller/reconciler/rbac.go b/internal/controller/reconciler/rbac.go
index 14ee51ef..d6a07ef3 100644
--- a/internal/controller/reconciler/rbac.go
+++ b/internal/controller/reconciler/rbac.go
@@ -16,6 +16,14 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
+const (
+	oidcDiscoveryClusterRoleName = "system:service-account-issuer-discovery"
+
+	// Internal service auth uses projected service-account tokens, so issuer
+	// discovery only needs authenticated Kubernetes callers.
+	oidcDiscoverySubjectGroup = "system:authenticated"
+)
+
 // createOrUpdateServiceAccount creates or updates the ServiceAccount for the W&B applications
 func createOrUpdateServiceAccount(
 	ctx context.Context,
@@ -209,13 +217,13 @@ func createOrUpdateOIDCDiscoveryClusterRoleBinding(
 		RoleRef: v4.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",
 			Kind:     "ClusterRole",
-			Name:     "system:service-account-issuer-discovery",
+			Name:     oidcDiscoveryClusterRoleName,
 		},
 		Subjects: []v4.Subject{
 			{
 				APIGroup: "rbac.authorization.k8s.io",
 				Kind:     "Group",
-				Name:     "system:unauthenticated",
+				Name:     oidcDiscoverySubjectGroup,
 			},
 		},
 	}