From 36b127ca129645faf385eb3a5fc03aa63021b66b Mon Sep 17 00:00:00 2001
From: Jacob Weinstock <jakobweinstock@gmail.com>
Date: Tue, 4 Jun 2024 16:33:00 -0600
Subject: [PATCH] Remove list permission for secrets:

This is unneeded and a potential security risk.

Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
---
 config/rbac/role.yaml | 1 -
 controller/machine.go | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 93dc1e1..0204eca 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -10,7 +10,6 @@ rules:
   - secrets
   verbs:
   - get
-  - list
   - watch
 - apiGroups:
   - bmc.tinkerbell.org
diff --git a/controller/machine.go b/controller/machine.go
index 3ebb322..9f577f4 100644
--- a/controller/machine.go
+++ b/controller/machine.go
@@ -60,7 +60,7 @@ func NewMachineReconciler(c client.Client, recorder record.EventRecorder, bmcCli
 //+kubebuilder:rbac:groups=bmc.tinkerbell.org,resources=machines,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=bmc.tinkerbell.org,resources=machines/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=bmc.tinkerbell.org,resources=machines/finalizers,verbs=update
-//+kubebuilder:rbac:groups="",resources=secrets;,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",resources=secrets;,verbs=get;watch
 
 // Reconcile reports on the state of a Machine. It does not change the state of the Machine in any way.
 // Updates the Power status and conditions accordingly.