-
Notifications
You must be signed in to change notification settings - Fork 192
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
OCPBUGS-31353: Minimize wildcard privileges for secrets, configmaps a…
…nd service accounts - Defined operand namespaces in the operator payload to be able to create local roles. - Defined local roles for configmaps and service accounts in the operand namespaces. - Defined a local role for the certificate managment in openshift-config-manager namespace.
- Loading branch information
1 parent
8be1749
commit 5a66cca
Showing
3 changed files
with
114 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# Define operand namespaces to be able to restrict the operator's RBAC permissions. | ||
# This enables limiting the access to sensitive resources (e.g., Secrets, ServiceAccounts, ConfigMaps) | ||
# from cluster-wide scope to specific namespaces. | ||
--- | ||
kind: Namespace | ||
apiVersion: v1 | ||
metadata: | ||
annotations: | ||
capability.openshift.io/name: Ingress | ||
include.release.openshift.io/ibm-cloud-managed: "true" | ||
include.release.openshift.io/self-managed-high-availability: "true" | ||
include.release.openshift.io/single-node-developer: "true" | ||
openshift.io/node-selector: "" | ||
workload.openshift.io/allowed: "management" | ||
labels: | ||
# allow openshift-monitoring to look for ServiceMonitor objects in this namespace | ||
openshift.io/cluster-monitoring: "true" | ||
name: openshift-ingress | ||
# old and new forms of the label for matching with NetworkPolicy | ||
network.openshift.io/policy-group: ingress | ||
policy-group.network.openshift.io/ingress: "" | ||
# Router deployment needs to allow privilege escalation, as well as host | ||
# network and host ports for the "HostNetwork" endpoint publishing strategy, | ||
# which is the default for on-premise platforms. | ||
pod-security.kubernetes.io/enforce: privileged | ||
pod-security.kubernetes.io/audit: privileged | ||
pod-security.kubernetes.io/warn: privileged | ||
name: openshift-ingress | ||
--- | ||
kind: Namespace | ||
apiVersion: v1 | ||
metadata: | ||
annotations: | ||
capability.openshift.io/name: Ingress | ||
include.release.openshift.io/ibm-cloud-managed: "true" | ||
include.release.openshift.io/self-managed-high-availability: "true" | ||
include.release.openshift.io/single-node-developer: "true" | ||
openshift.io/node-selector: "" | ||
workload.openshift.io/allowed: "management" | ||
name: openshift-ingress-canary |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters