Re-add delete to secrets rbac for cleaning up secrets created as part of ClusterAgentConnection, mirror rbac to helm template

gamingrobot · gamingrobot · commit 9b5617cdf711 · 2025-05-14T16:32:29.000-05:00
diff --git a/manifests/helm/templates/operator/rbac/cluster-role.yaml.tpl b/manifests/helm/templates/operator/rbac/cluster-role.yaml.tpl
@@ -32,7 +32,13 @@ rules:
   resources:
   - secrets
   verbs:
-  - '*'
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
@@ -49,7 +55,13 @@ rules:
   - agentconnections
   - agentinjectors
   verbs:
-  - '*'
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
 - apiGroups:
   - agents.contrastsecurity.com
   resources:
@@ -99,7 +111,13 @@ rules:
   resources:
   - leases
   verbs:
-  - '*'
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
 - apiGroups:
   - apps
   resources:
diff --git a/manifests/install/all/operator/base/rbac/cluster-role.yaml b/manifests/install/all/operator/base/rbac/cluster-role.yaml
@@ -37,6 +37,7 @@ rules:
   - create
   - update
   - patch
+  - delete
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
diff --git a/src/Contrast.K8s.AgentOperator/Core/Kube/VerbConstants.cs b/src/Contrast.K8s.AgentOperator/Core/Kube/VerbConstants.cs
@@ -14,5 +14,5 @@ public static class VerbConstants
 
     public const RbacVerb ReadOnly = RbacVerb.Get | RbacVerb.List | RbacVerb.Watch;
 
-    public const RbacVerb FullControl = RbacVerb.AllExplicit;
+    public const RbacVerb All = RbacVerb.AllExplicit;
 }
diff --git a/src/Contrast.K8s.AgentOperator/Entities/BuiltinEntityRbac.cs b/src/Contrast.K8s.AgentOperator/Entities/BuiltinEntityRbac.cs
@@ -12,7 +12,7 @@ namespace Contrast.K8s.AgentOperator.Entities
     [EntityRbac(typeof(V1DaemonSet), Verbs = VerbConstants.ReadAndPatch)]
     [EntityRbac(typeof(V1Deployment), Verbs = VerbConstants.ReadAndPatch)]
     [EntityRbac(typeof(V1Pod), Verbs = VerbConstants.ReadAndPatch)]
-    [EntityRbac(typeof(V1Secret), Verbs = VerbConstants.AllButDelete)]
+    [EntityRbac(typeof(V1Secret), Verbs = VerbConstants.All)]
     [EntityRbac(typeof(V1MutatingWebhookConfiguration), Verbs = VerbConstants.ReadAndPatch)]
     [EntityRbac(typeof(V1StatefulSet), Verbs = VerbConstants.ReadAndPatch)]
     [UsedImplicitly]
diff --git a/src/Contrast.K8s.AgentOperator/Entities/V1Beta1AgentConfiguration.cs b/src/Contrast.K8s.AgentOperator/Entities/V1Beta1AgentConfiguration.cs
@@ -10,7 +10,7 @@
 namespace Contrast.K8s.AgentOperator.Entities;
 
 [KubernetesEntity(Group = "agents.contrastsecurity.com", ApiVersion = "v1beta1", Kind = "AgentConfiguration", PluralName = "agentconfigurations")]
-[EntityRbac(typeof(V1Beta1AgentConfiguration), Verbs = VerbConstants.FullControl)]
+[EntityRbac(typeof(V1Beta1AgentConfiguration), Verbs = VerbConstants.All)]
 public partial class V1Beta1AgentConfiguration : CustomKubernetesEntity<V1Beta1AgentConfiguration.AgentConfigurationSpec>
 {
     public class AgentConfigurationSpec
diff --git a/src/Contrast.K8s.AgentOperator/Entities/V1Beta1AgentConnection.cs b/src/Contrast.K8s.AgentOperator/Entities/V1Beta1AgentConnection.cs
@@ -10,7 +10,7 @@
 namespace Contrast.K8s.AgentOperator.Entities;
 
 [KubernetesEntity(Group = "agents.contrastsecurity.com", ApiVersion = "v1beta1", Kind = "AgentConnection", PluralName = "agentconnections")]
-[EntityRbac(typeof(V1Beta1AgentConnection), Verbs = VerbConstants.FullControl)]
+[EntityRbac(typeof(V1Beta1AgentConnection), Verbs = VerbConstants.All)]
 public partial class V1Beta1AgentConnection : CustomKubernetesEntity<V1Beta1AgentConnection.AgentConnectionSpec>
 {
     public class AgentConnectionSpec
diff --git a/src/Contrast.K8s.AgentOperator/Entities/V1Beta1AgentInjector.cs b/src/Contrast.K8s.AgentOperator/Entities/V1Beta1AgentInjector.cs
@@ -12,7 +12,7 @@
 namespace Contrast.K8s.AgentOperator.Entities;
 
 [KubernetesEntity(Group = "agents.contrastsecurity.com", ApiVersion = "v1beta1", Kind = "AgentInjector", PluralName = "agentinjectors")]
-[EntityRbac(typeof(V1Beta1AgentInjector), Verbs = VerbConstants.FullControl)]
+[EntityRbac(typeof(V1Beta1AgentInjector), Verbs = VerbConstants.All)]
 public partial class V1Beta1AgentInjector : CustomKubernetesEntity<V1Beta1AgentInjector.AgentInjectorSpec>
 {
     public class AgentInjectorSpec

Original file line number	Diff line number	Diff line change
`@@ -14,5 +14,5 @@ public static class VerbConstants`
`14`	`14`
`15`	`15`	`public const RbacVerb ReadOnly = RbacVerb.Get \| RbacVerb.List \| RbacVerb.Watch;`
`16`	`16`
`17`		`- public const RbacVerb FullControl = RbacVerb.AllExplicit;`
	`17`	`+ public const RbacVerb All = RbacVerb.AllExplicit;`
`18`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`namespace Contrast.K8s.AgentOperator.Entities;`
`11`	`11`
`12`	`12`	`[KubernetesEntity(Group = "agents.contrastsecurity.com", ApiVersion = "v1beta1", Kind = "AgentConfiguration", PluralName = "agentconfigurations")]`
`13`		`-[EntityRbac(typeof(V1Beta1AgentConfiguration), Verbs = VerbConstants.FullControl)]`
	`13`	`+[EntityRbac(typeof(V1Beta1AgentConfiguration), Verbs = VerbConstants.All)]`
`14`	`14`	`public partial class V1Beta1AgentConfiguration : CustomKubernetesEntity<V1Beta1AgentConfiguration.AgentConfigurationSpec>`
`15`	`15`	`{`
`16`	`16`	`public class AgentConfigurationSpec`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@`
`12`	`12`	`namespace Contrast.K8s.AgentOperator.Entities;`
`13`	`13`
`14`	`14`	`[KubernetesEntity(Group = "agents.contrastsecurity.com", ApiVersion = "v1beta1", Kind = "AgentInjector", PluralName = "agentinjectors")]`
`15`		`-[EntityRbac(typeof(V1Beta1AgentInjector), Verbs = VerbConstants.FullControl)]`
	`15`	`+[EntityRbac(typeof(V1Beta1AgentInjector), Verbs = VerbConstants.All)]`
`16`	`16`	`public partial class V1Beta1AgentInjector : CustomKubernetesEntity<V1Beta1AgentInjector.AgentInjectorSpec>`
`17`	`17`	`{`
`18`	`18`	`public class AgentInjectorSpec`