Improve security posture pruning unnecessary rbac (#172)

ajaysundark · web-flow · commit 62e8b4f6c3d1 · 2026-03-17T12:45:38.000+05:30
diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml
@@ -7,18 +7,6 @@ metadata:
     app.kubernetes.io/managed-by: kustomize
   name: leader-election-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
 - apiGroups:
   - coordination.k8s.io
   resources:
@@ -31,10 +19,3 @@ rules:
   - update
   - patch
   - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -16,34 +16,22 @@ rules:
   resources:
   - nodes
   verbs:
-  - create
-  - delete
   - get
   - list
   - patch
   - update
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - nodes/finalizers
-  verbs:
-  - update
 - apiGroups:
   - ""
   resources:
   - nodes/status
   verbs:
   - get
-  - patch
-  - update
 - apiGroups:
   - readiness.node.x-k8s.io
   resources:
   - nodereadinessrules
   verbs:
-  - create
-  - delete
   - get
   - list
   - patch
diff --git a/internal/controller/node_controller.go b/internal/controller/node_controller.go
@@ -81,9 +81,8 @@ func (r *NodeReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager)
 		Complete(r)
 }
 
-// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=nodes/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=core,resources=nodes/finalizers,verbs=update
+// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;update;patch
+// +kubebuilder:rbac:groups=core,resources=nodes/status,verbs=get
 
 // NodeReconciler handles node changes
 
diff --git a/internal/controller/nodereadinessrule_controller.go b/internal/controller/nodereadinessrule_controller.go
@@ -87,7 +87,7 @@ func (r *RuleReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager)
 		Complete(r)
 }
 
-// +kubebuilder:rbac:groups=readiness.node.x-k8s.io,resources=nodereadinessrules,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=readiness.node.x-k8s.io,resources=nodereadinessrules,verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups=readiness.node.x-k8s.io,resources=nodereadinessrules/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=readiness.node.x-k8s.io,resources=nodereadinessrules/finalizers,verbs=update
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch

Original file line number	Diff line number	Diff line change
`@@ -81,9 +81,8 @@ func (r *NodeReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager)`
`81`	`81`	`Complete(r)`
`82`	`82`	`}`
`83`	`83`
`84`		`-// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;create;update;patch;delete`
`85`		`-// +kubebuilder:rbac:groups=core,resources=nodes/status,verbs=get;update;patch`
`86`		`-// +kubebuilder:rbac:groups=core,resources=nodes/finalizers,verbs=update`
	`84`	`+// +kubebuilder:rbac:groups=core,resources=nodes,verbs=get;list;watch;update;patch`
	`85`	`+// +kubebuilder:rbac:groups=core,resources=nodes/status,verbs=get`
`87`	`86`
`88`	`87`	`// NodeReconciler handles node changes`
`89`	`88`
Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ func (r *RuleReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager)`
`87`	`87`	`Complete(r)`
`88`	`88`	`}`
`89`	`89`
`90`		`-// +kubebuilder:rbac:groups=readiness.node.x-k8s.io,resources=nodereadinessrules,verbs=get;list;watch;create;update;patch;delete`
	`90`	`+// +kubebuilder:rbac:groups=readiness.node.x-k8s.io,resources=nodereadinessrules,verbs=get;list;watch;update;patch`
`91`	`91`	`// +kubebuilder:rbac:groups=readiness.node.x-k8s.io,resources=nodereadinessrules/status,verbs=get;update;patch`
`92`	`92`	`// +kubebuilder:rbac:groups=readiness.node.x-k8s.io,resources=nodereadinessrules/finalizers,verbs=update`
`93`	`93`	`// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch`