Restrict default RBAC for ConfigMaps in Helm chart

Signed-off-by: Jack Henschel <[email protected]>
open-policy-agent · Jun 2, 2022 · 9ed50ba · 9ed50ba
1 parent 7b16cd9
commit 9ed50ba
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/charts/opa-kube-mgmt/templates/rbac-mgmt.yaml b/charts/opa-kube-mgmt/templates/rbac-mgmt.yaml
@@ -11,12 +11,19 @@ metadata:
     component: mgmt
   name: {{ template "opa.mgmtfullname" . }}
 rules:
+  # Inject user-provided RBAC rules
   {{- with .Values.rbac.extraRules }}
   {{ . | toYaml | nindent 2 }}
   {{- end }}
+
+  # Allow kube-mgmt to have "get", "list" and "watch" actions over ConfigMaps at a cluster level
+  # to allow loading policies from any namespace.
+  # Additionally, allow "patch" and "update" actionson ConfigMaps so kube-mgmt can
+  # annotate the ConfigMaps to indicate if they were loaded successfully or not.
   - apiGroups: [""]
     resources: ["configmaps"]
-    verbs: ["*"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+
   - apiGroups: [""]
     resources: ["namespaces"]
     verbs: ["get", "list", "watch"]