feat: add deletecollection right on secrets

traefik · May 28, 2024 · fb69807 · fb69807
1 parent 7112c8a
commit fb69807
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 20 deletions.
diff --git a/traefik/templates/rbac/clusterrole.yaml b/traefik/templates/rbac/clusterrole.yaml
@@ -127,7 +127,6 @@ rules:
       - apiratelimits
       - apis
       - apiversions
-      - edgeingresses
     verbs:
       - list
       - watch
@@ -146,8 +145,6 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - services
-      - endpoints
       - namespaces
       - pods
       - nodes
@@ -193,13 +190,11 @@ rules:
       - update
       - create
       - delete
+      - deletecollection
   - apiGroups:
       - apps
     resources:
-      - deployments
-      - statefulsets
       - replicasets
-      - daemonsets
     verbs:
       - get
       - list
@@ -213,8 +208,4 @@ rules:
       - get
       - list
       - watch
-      - create
-      - update
-      - patch
-      - delete
 {{- end -}}
diff --git a/traefik/templates/rbac/role.yaml b/traefik/templates/rbac/role.yaml
@@ -119,5 +119,90 @@ rules:
     verbs:
       - update
 {{- end -}}
+{{- if $.Values.hub.token }}
+  - apiGroups:
+      - hub.traefik.io
+    resources:
+      - accesscontrolpolicies
+      - apiaccesses
+      - apiportals
+      - apiratelimits
+      - apis
+      - apiversions
+    verbs:
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+      - pods
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - get
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - create
+      - delete
+      - deletecollection
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}
 {{- end -}}
 {{- end -}}
diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml
@@ -793,7 +793,6 @@ tests:
               - apiratelimits
               - apis
               - apiversions
-              - edgeingresses
             verbs:
               - list
               - watch
@@ -820,8 +819,6 @@ tests:
             apiGroups:
               - ""
             resources:
-              - services
-              - endpoints
               - namespaces
               - pods
               - nodes
@@ -883,17 +880,15 @@ tests:
               - update
               - create
               - delete
+              - deletecollection
       - template: rbac/clusterrole.yaml
         contains:
           path: rules
           content:
             apiGroups:
               - apps
             resources:
-              - deployments
-              - statefulsets
               - replicasets
-              - daemonsets
             verbs:
               - get
               - list
@@ -911,7 +906,3 @@ tests:
               - get
               - list
               - watch
-              - create
-              - update
-              - patch
-              - delete