From 2564bd3da237c797d587db5e8973fd4257bdf7c4 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Thu, 13 Oct 2022 02:56:23 +0200
Subject: [PATCH] refactor(apps): Rework flux reconciler permissions

This patch removes the custom reconciler role and replaces it with the
general admin ClusterRole, this helps to restrict access to only the
save namespace resources.
---
 apps/base/forecastle/namespace.yaml    | 14 ++------------
 apps/base/gitlab-runner/namespace.yaml | 14 ++------------
 apps/base/goharbor/namespace.yaml      | 14 ++------------
 apps/base/keycloak/namespace.yaml      | 14 ++------------
 apps/base/mail/namespace.yaml          | 14 ++------------
 apps/base/matrix/namespace.yaml        | 14 ++------------
 apps/base/nextcloud/namespace.yaml     | 14 ++------------
 apps/base/renovate/namespace.yaml      | 14 ++------------
 8 files changed, 16 insertions(+), 96 deletions(-)

diff --git a/apps/base/forecastle/namespace.yaml b/apps/base/forecastle/namespace.yaml
index fd234355a..696c5807c 100644
--- a/apps/base/forecastle/namespace.yaml
+++ b/apps/base/forecastle/namespace.yaml
@@ -17,24 +17,14 @@ metadata:
   namespace: forecastle
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: forecastle-reconciler
-  namespace: forecastle
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: forecastle-reconciler
   namespace: forecastle
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: forecastle-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: forecastle-reconciler
diff --git a/apps/base/gitlab-runner/namespace.yaml b/apps/base/gitlab-runner/namespace.yaml
index 6007b95ab..17914e5da 100644
--- a/apps/base/gitlab-runner/namespace.yaml
+++ b/apps/base/gitlab-runner/namespace.yaml
@@ -12,24 +12,14 @@ metadata:
   namespace: gitlab-runner
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: gitlab-runner-reconciler
-  namespace: gitlab-runner
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: gitlab-runner-reconciler
   namespace: gitlab-runner
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: gitlab-runner-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: gitlab-runner-reconciler
diff --git a/apps/base/goharbor/namespace.yaml b/apps/base/goharbor/namespace.yaml
index 15df40ed4..7134d5dd1 100644
--- a/apps/base/goharbor/namespace.yaml
+++ b/apps/base/goharbor/namespace.yaml
@@ -12,24 +12,14 @@ metadata:
   namespace: goharbor
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: flux-reconciler
-  namespace: goharbor
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: flux-reconciler
   namespace: goharbor
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: flux-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: flux-reconciler
diff --git a/apps/base/keycloak/namespace.yaml b/apps/base/keycloak/namespace.yaml
index 0deeb3785..1384e40e4 100644
--- a/apps/base/keycloak/namespace.yaml
+++ b/apps/base/keycloak/namespace.yaml
@@ -10,24 +10,14 @@ metadata:
   namespace: keycloak
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: keycloak-reconciler
-  namespace: keycloak
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: keycloak-reconciler
   namespace: keycloak
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: keycloak-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: keycloak-reconciler
diff --git a/apps/base/mail/namespace.yaml b/apps/base/mail/namespace.yaml
index 7e1eb63f8..a0a4c8db8 100644
--- a/apps/base/mail/namespace.yaml
+++ b/apps/base/mail/namespace.yaml
@@ -10,24 +10,14 @@ metadata:
   namespace: mail
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: flux-reconciler
-  namespace: mail
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: flux-reconciler
   namespace: mail
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: flux-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: flux-reconciler
diff --git a/apps/base/matrix/namespace.yaml b/apps/base/matrix/namespace.yaml
index c839643f5..a04bf7faf 100644
--- a/apps/base/matrix/namespace.yaml
+++ b/apps/base/matrix/namespace.yaml
@@ -12,24 +12,14 @@ metadata:
   namespace: matrix
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: matrix-reconciler
-  namespace: matrix
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: matrix-reconciler
   namespace: matrix
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: matrix-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: matrix-reconciler
diff --git a/apps/base/nextcloud/namespace.yaml b/apps/base/nextcloud/namespace.yaml
index 243de68a6..63ffbfca3 100644
--- a/apps/base/nextcloud/namespace.yaml
+++ b/apps/base/nextcloud/namespace.yaml
@@ -12,24 +12,14 @@ metadata:
   namespace: nextcloud
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: nextcloud-reconciler
-  namespace: nextcloud
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: nextcloud-reconciler
   namespace: nextcloud
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: nextcloud-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: nextcloud-reconciler
diff --git a/apps/base/renovate/namespace.yaml b/apps/base/renovate/namespace.yaml
index 4c3b08a4d..c4c9e233f 100644
--- a/apps/base/renovate/namespace.yaml
+++ b/apps/base/renovate/namespace.yaml
@@ -17,24 +17,14 @@ metadata:
   namespace: renovate
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: flux-reconciler
-  namespace: renovate
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: flux-reconciler
   namespace: renovate
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: flux-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
   - kind: ServiceAccount
     name: flux-reconciler
-- 
GitLab