fix(system-upgrade): Align permissions even better

e17a8366 · Sheogorath · be6bac9a · e17a8366 · e17a8366
Verified Commit e17a8366 authored 1 year ago by Sheogorath
--- a/bootstrap/system-upgrades/clusterrole.yaml
+++ b/bootstrap/system-upgrades/clusterrole.yaml
@@ -3,21 +3,12 @@ kind: ClusterRole
 metadata:
  name: system-upgrade-controller
 rules:
- apiGroups:
-  - batch
-  resources:
-  - jobs
-  verbs:
-  - create
-  - delete
-  - deletecollection
-  - patch
-  - update
 - apiGroups:
  - ""
  resources:
-  - secrets
  - namespaces
+  - nodes
+  - customresourcedefinitions
  verbs:
  - get
  - list
@@ -34,6 +25,33 @@ rules:
  - patch
  - delete
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: system-upgrade-controller
+rules:
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 # Borrowed from https://stackoverflow.com/a/63553032
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

--- a/bootstrap/system-upgrades/clusterrolebinding.yaml
+++ b/bootstrap/system-upgrades/clusterrolebinding.yaml
@@ -20,5 +20,17 @@ roleRef:
  kind: ClusterRole
  name: system-upgrade-controller
 subjects:
+- kind: ServiceAccount
+  name: system-upgrade
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system-upgrade
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: system-upgrade-controller
+subjects:
 - kind: ServiceAccount
  name: system-upgrade
\ No newline at end of file