build, controller: remove list and watch verbs from RBAC

The virt-controller component only requires the `GET` RBAC permissions, thus, all others can be dropped. Signed-off-by: Miguel Duarte Barroso <[email protected]>
zyjj1 · Sep 27, 2023 · cafc17e · cafc17e
1 parent a22d2c1
commit cafc17e
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 7 deletions.
diff --git a/manifests/generated/operator-csv.yaml.in b/manifests/generated/operator-csv.yaml.in
@@ -635,8 +635,6 @@ spec:
           - network-attachment-definitions
           verbs:
           - get
-          - list
-          - watch
         - apiGroups:
           - apiextensions.k8s.io
           resources:

diff --git a/manifests/generated/rbac-operator.authorization.k8s.yaml.in b/manifests/generated/rbac-operator.authorization.k8s.yaml.in
@@ -575,8 +575,6 @@ rules:
   - network-attachment-definitions
   verbs:
   - get
-  - list
-  - watch
 - apiGroups:
   - apiextensions.k8s.io
   resources:

diff --git a/pkg/virt-operator/resource/generate/rbac/controller.go b/pkg/virt-operator/resource/generate/rbac/controller.go
@@ -398,9 +398,7 @@ func newControllerClusterRole() *rbacv1.ClusterRole {
 				Resources: []string{
 					"network-attachment-definitions",
 				},
-				Verbs: []string{
-					"get", "list", "watch",
-				},
+				Verbs: []string{"get"},
 			},
 			{
 				APIGroups: []string{