From e17a8366fa75e5dc563056579a686176881e5c6c Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 5 Feb 2024 22:46:17 +0100
Subject: [PATCH] fix(system-upgrade): Align permissions even better

---
 bootstrap/system-upgrades/clusterrole.yaml    | 40 ++++++++++++++-----
 .../system-upgrades/clusterrolebinding.yaml   | 12 ++++++
 2 files changed, 41 insertions(+), 11 deletions(-)

diff --git a/bootstrap/system-upgrades/clusterrole.yaml b/bootstrap/system-upgrades/clusterrole.yaml
index 881805797..ca360cc84 100644
--- a/bootstrap/system-upgrades/clusterrole.yaml
+++ b/bootstrap/system-upgrades/clusterrole.yaml
@@ -3,21 +3,12 @@ kind: ClusterRole
 metadata:
   name: system-upgrade-controller
 rules:
-- apiGroups:
-  - batch
-  resources:
-  - jobs
-  verbs:
-  - create
-  - delete
-  - deletecollection
-  - patch
-  - update
 - apiGroups:
   - ""
   resources:
-  - secrets
   - namespaces
+  - nodes
+  - customresourcedefinitions
   verbs:
   - get
   - list
@@ -34,6 +25,33 @@ rules:
   - patch
   - delete
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: system-upgrade-controller
+rules:
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # Borrowed from https://stackoverflow.com/a/63553032
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
diff --git a/bootstrap/system-upgrades/clusterrolebinding.yaml b/bootstrap/system-upgrades/clusterrolebinding.yaml
index 4a1ae37fe..1c30e7f06 100644
--- a/bootstrap/system-upgrades/clusterrolebinding.yaml
+++ b/bootstrap/system-upgrades/clusterrolebinding.yaml
@@ -20,5 +20,17 @@ roleRef:
   kind: ClusterRole
   name: system-upgrade-controller
 subjects:
+- kind: ServiceAccount
+  name: system-upgrade
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system-upgrade
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: system-upgrade-controller
+subjects:
 - kind: ServiceAccount
   name: system-upgrade
\ No newline at end of file
-- 
GitLab