Merge pull request #275 from aramase/regenerate-manifests

chore: regenerate manifests to remove unused rbac permissions

Author: k8s-ci-robot

config/rbac/role.yaml

@@ -25,16 +25,6 @@ rules:
   verbs:
   - get
   - list
-  - update
-  - watch
-- apiGroups:
-  - secrets-store.csi.x-k8s.io
-  resources:
-  - secretproviderclasses/status
-  verbs:
-  - get
-  - patch
-  - update
   - watch
 - apiGroups:
   - secrets-store.csi.x-k8s.io

controllers/secretproviderclasspodstatus_controller.go

@@ -59,8 +59,7 @@ type SecretProviderClassPodStatusReconciler struct {
 
 // +kubebuilder:rbac:groups=secrets-store.csi.x-k8s.io,resources=secretproviderclasspodstatuses,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=secrets-store.csi.x-k8s.io,resources=secretproviderclasspodstatuses/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=secrets-store.csi.x-k8s.io,resources=secretproviderclasses,verbs=get;list;update;watch
-// +kubebuilder:rbac:groups=secrets-store.csi.x-k8s.io,resources=secretproviderclasses/status,verbs=get;patch;update;watch
+// +kubebuilder:rbac:groups=secrets-store.csi.x-k8s.io,resources=secretproviderclasses,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch;delete
 
 func (r *SecretProviderClassPodStatusReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {

manifest_staging/charts/secrets-store-csi-driver/templates/role.yaml

@@ -1,40 +1,32 @@
 {{ if .Values.rbac.install }}
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  creationTimestamp: null
   name: secretproviderclasses-role
 rules:
 - apiGroups:
-  - secrets-store.csi.x-k8s.io
+  - ""
   resources:
-  - secretproviderclasses
+  - secrets
   verbs:
+  - create
+  - delete
   - get
   - list
-  - update
-  - watch
-- apiGroups:
-  - secrets-store.csi.x-k8s.io
-  resources:
-  - secretproviderclasses/status
-  verbs:
-  - get
   - patch
   - update
   - watch
 - apiGroups:
-  - ""
+  - secrets-store.csi.x-k8s.io
   resources:
-  - secrets
+  - secretproviderclasses
   verbs:
-  - create
-  - delete
   - get
-  - update
-  - patch
-  - watch
   - list
+  - watch
 - apiGroups:
   - secrets-store.csi.x-k8s.io
   resources:
@@ -53,6 +45,6 @@ rules:
   - secretproviderclasspodstatuses/status
   verbs:
   - get
-  - update
   - patch
+  - update
 {{ end }}

manifest_staging/deploy/rbac-secretproviderclass.yaml

@@ -5,51 +5,29 @@ metadata:
   namespace: default
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: secretproviderclasses-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: secretproviderclasses-role
-subjects:
-- kind: ServiceAccount
-  name: secrets-store-csi-driver
-  namespace: default
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  creationTimestamp: null
   name: secretproviderclasses-role
 rules:
 - apiGroups:
-  - secrets-store.csi.x-k8s.io
+  - ""
   resources:
-  - secretproviderclasses
+  - secrets
   verbs:
+  - create
+  - delete
   - get
   - list
-  - update
-  - watch
-- apiGroups:
-  - secrets-store.csi.x-k8s.io
-  resources:
-  - secretproviderclasses/status
-  verbs:
-  - get
   - patch
   - update
   - watch
 - apiGroups:
-  - ""
+  - secrets-store.csi.x-k8s.io
   resources:
-  - secrets
+  - secretproviderclasses
   verbs:
-  - create
-  - delete
   - get
-  - update
-  - patch
   - list
   - watch
 - apiGroups:
@@ -70,5 +48,18 @@ rules:
   - secretproviderclasspodstatuses/status
   verbs:
   - get
-  - update
   - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: secretproviderclasses-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: secretproviderclasses-role
+subjects:
+- kind: ServiceAccount
+  name: secrets-store-csi-driver
+  namespace: default