From 3ffabf1024bae4e4c32717d6fc979c1ddb0e4e5d Mon Sep 17 00:00:00 2001
From: Huamin Chen <hchen@redhat.com>
Date: Fri, 8 Jun 2018 12:09:54 -0400
Subject: [PATCH 1/2] fine tune rbac

Signed-off-by: Huamin Chen <hchen@redhat.com>
---
 config/200-clusterrole.yaml        | 65 ++++++++++++++++++++++++++++++
 config/201-clusterrolebinding.yaml |  4 +-
 2 files changed, 67 insertions(+), 2 deletions(-)
 create mode 100644 config/200-clusterrole.yaml

diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
new file mode 100644
index 000000000000..0510973274d7
--- /dev/null
+++ b/config/200-clusterrole.yaml
@@ -0,0 +1,65 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: knative-serving-admin
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "namespaces", "secrets", "configmaps", "endpoints", "services", "events", "serviceaccounts"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses","deployments"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments", "statefulsets"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["serving.knative.dev"]
+    resources: ["configurations", "configurationgenerations", "routes", "revisions", "revisionuids", "autoscalers", "services"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["build.dev"]
+    resources: ["builds", "buildtemplates"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]    
+  - apiGroups: ["feeds.knative.dev"]
+    resources: ["eventsources", "eventtypes", "binds"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]    
+  - apiGroups: ["config.istio.io"]
+    resources: ["routerules"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]    
+---    
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: knative-serving-write
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "namespaces", "secrets", "configmaps", "endpoints", "services", "events", "serviceaccounts"]
+    verbs: ["get", "list", "update", "patch", "watch"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses","deployments"]
+    verbs: ["get", "list", "update", "patch", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments", "statefulsets"]
+    verbs: ["get", "list", "update", "patch", "watch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "update", "patch", "watch"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "update", "patch", "watch"]
+  - apiGroups: ["serving.knative.dev"]
+    resources: ["configurations", "configurationgenerations", "routes", "revisions", "revisionuids", "autoscalers", "services"]
+    verbs: ["get", "list", "update", "patch", "watch"]
+  - apiGroups: ["build.dev"]
+    resources: ["builds", "buildtemplates"]
+    verbs: ["get", "list", "update", "patch", "watch"]    
+  - apiGroups: ["feeds.knative.dev"]
+    resources: ["eventsources", "eventtypes", "binds"]
+    verbs: ["get", "list", "update", "patch", "watch"]    
+  - apiGroups: ["config.istio.io"]
+    resources: ["routerules"]
+    verbs: ["get", "list", "update", "patch", "watch"]    
diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml
index 99e5e7fe9639..e9c67ad5d3e7 100644
--- a/config/201-clusterrolebinding.yaml
+++ b/config/201-clusterrolebinding.yaml
@@ -22,7 +22,7 @@ subjects:
     namespace: knative-serving-system
 roleRef:
   kind: ClusterRole
-  name: cluster-admin
+  name: knative-serving-admin
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -35,5 +35,5 @@ subjects:
     namespace: knative-serving-system
 roleRef:
   kind: ClusterRole
-  name: cluster-admin
+  name: knative-serving-write
   apiGroup: rbac.authorization.k8s.io

From 3df32ba3357cf7ea31ba13a01e259ac88abe7758 Mon Sep 17 00:00:00 2001
From: Huamin Chen <hchen@redhat.com>
Date: Fri, 15 Jun 2018 21:11:41 +0000
Subject: [PATCH 2/2] review feedback

Signed-off-by: Huamin Chen <hchen@redhat.com>
---
 config/200-clusterrole.yaml | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
index 0510973274d7..0aef7b2ad07e 100644
--- a/config/200-clusterrole.yaml
+++ b/config/200-clusterrole.yaml
@@ -22,10 +22,7 @@ rules:
     resources: ["configurations", "configurationgenerations", "routes", "revisions", "revisionuids", "autoscalers", "services"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
   - apiGroups: ["build.dev"]
-    resources: ["builds", "buildtemplates"]
-    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]    
-  - apiGroups: ["feeds.knative.dev"]
-    resources: ["eventsources", "eventtypes", "binds"]
+    resources: ["builds"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]    
   - apiGroups: ["config.istio.io"]
     resources: ["routerules"]
@@ -55,10 +52,7 @@ rules:
     resources: ["configurations", "configurationgenerations", "routes", "revisions", "revisionuids", "autoscalers", "services"]
     verbs: ["get", "list", "update", "patch", "watch"]
   - apiGroups: ["build.dev"]
-    resources: ["builds", "buildtemplates"]
-    verbs: ["get", "list", "update", "patch", "watch"]    
-  - apiGroups: ["feeds.knative.dev"]
-    resources: ["eventsources", "eventtypes", "binds"]
+    resources: ["builds"]
     verbs: ["get", "list", "update", "patch", "watch"]    
   - apiGroups: ["config.istio.io"]
     resources: ["routerules"]