chore: remove unneeded /status,verbs=get RBAC (#808)

Co-authored-by: Grzegorz Burzyński <czeslavo@gmail.com>
Kong · Jan 20, 2025 · b49a82c · b49a82c
1 parent 6c813ae
commit b49a82c
Show file tree

Hide file tree

Showing 8 changed files with 10 additions and 56 deletions.
diff --git a/config/rbac/role/role.yaml b/config/rbac/role/role.yaml
@@ -18,13 +18,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - configmaps/status
-  - serviceaccounts/status
-  verbs:
-  - get
 - apiGroups:
   - ""
   resources:
@@ -97,12 +90,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - apps
-  resources:
-  - deployments/status
-  verbs:
-  - get
 - apiGroups:
   - autoscaling
   resources:
@@ -294,9 +281,9 @@ rules:
   - controlplanes/status
   - dataplanes/status
   - kongplugininstallations/status
+  - konnectextensions/finalizers
   - konnectextensions/status
   verbs:
-  - get
   - patch
   - update
 - apiGroups:
@@ -318,13 +305,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - gateway-operator.konghq.com
-  resources:
-  - konnectextensions/finalizers
-  verbs:
-  - patch
-  - update
 - apiGroups:
   - gateway.networking.k8s.io
   resources:
@@ -422,19 +402,12 @@ rules:
   - konnect.konghq.com
   resources:
   - konnectapiauthconfigurations/finalizers
+  - konnectapiauthconfigurations/status
   - konnectgatewaycontrolplanes/finalizers
   - konnectgatewaycontrolplanes/status
   verbs:
   - patch
   - update
-- apiGroups:
-  - konnect.konghq.com
-  resources:
-  - konnectapiauthconfigurations/status
-  verbs:
-  - get
-  - patch
-  - update
 - apiGroups:
   - networking.k8s.io
   resources:
@@ -489,13 +462,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - clusterrolebindings/status
-  - clusterroles/status
-  verbs:
-  - get
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

diff --git a/controller/controlplane/controller_rbac.go b/controller/controlplane/controller_rbac.go
@@ -5,17 +5,12 @@ package controlplane
 // -----------------------------------------------------------------------------
 
 // +kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=controlplanes,verbs=get;list;watch;update;patch
-// +kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=controlplanes/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=controlplanes/status,verbs=update;patch
 // +kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=controlplanes/finalizers,verbs=update
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=create;get;list;watch;update;patch;delete
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles/status,verbs=get
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=create;get;list;watch;update;patch;delete
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings/status,verbs=get
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=create;get;list;watch;update;patch;delete
-// +kubebuilder:rbac:groups=apps,resources=deployments/status,verbs=get
 // +kubebuilder:rbac:groups=core,resources=services,verbs=create;get;list;watch;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=services/status,verbs=get
 // +kubebuilder:rbac:groups=core,resources=serviceaccounts,verbs=create;get;list;watch;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=serviceaccounts/status,verbs=get
 // +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch
 // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete
diff --git a/controller/dataplane/controller_rbac.go b/controller/dataplane/controller_rbac.go
@@ -5,14 +5,12 @@ package dataplane
 // -----------------------------------------------------------------------------
 
 // +kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=dataplanes,verbs=get;list;watch;update;patch
-// +kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=dataplanes/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=dataplanes/status,verbs=update;patch
 // +kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=dataplanes/finalizers,verbs=update
 // +kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=konnectextensions,verbs=get;list;watch;update;patch
-// +kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=konnectextensions/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=konnectextensions/status,verbs=update;patch
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=create;get;list;watch;update;patch;delete
-// +kubebuilder:rbac:groups=apps,resources=deployments/status,verbs=get
 // +kubebuilder:rbac:groups=core,resources=services,verbs=create;get;list;watch;update;patch;delete
-// +kubebuilder:rbac:groups=core,resources=services/status,verbs=get
 // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;delete
 // +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch

diff --git a/controller/gateway/controller_rbac.go b/controller/gateway/controller_rbac.go
@@ -5,7 +5,7 @@ package gateway
 // -----------------------------------------------------------------------------
 
 //+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways,verbs=get;list;watch;update;patch
-//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/status,verbs=update;patch
 //+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/finalizers,verbs=update
 //+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gatewayclasses,verbs=get;list;watch
 //+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=referencegrants,verbs=get;list;watch

diff --git a/controller/gatewayclass/controller_rbac.go b/controller/gatewayclass/controller_rbac.go
@@ -4,4 +4,4 @@ package gatewayclass
 // GatewayClassReconciler - RBAC Permissions
 // -----------------------------------------------------------------------------
 
-//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gatewayclasses/status,verbs=get;patch;update
+//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gatewayclasses/status,verbs=patch;update
diff --git a/controller/kongplugininstallation/controller_rbac.go b/controller/kongplugininstallation/controller_rbac.go
@@ -1,7 +1,6 @@
 package kongplugininstallation
 
 //+kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=kongplugininstallations,verbs=get;list;watch;update;patch
-//+kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=kongplugininstallations/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=kongplugininstallations/status,verbs=update;patch
 //+kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;
-//+kubebuilder:rbac:groups=core,resources=configmaps/status,verbs=get
diff --git a/controller/konnect/reconciler_konnectapiauth_rbac.go b/controller/konnect/reconciler_konnectapiauth_rbac.go
@@ -1,6 +1,6 @@
 package konnect
 
 //+kubebuilder:rbac:groups=konnect.konghq.com,resources=konnectapiauthconfigurations,verbs=get;list;watch;update;patch
-//+kubebuilder:rbac:groups=konnect.konghq.com,resources=konnectapiauthconfigurations/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=konnect.konghq.com,resources=konnectapiauthconfigurations/status,verbs=update;patch
 
 //+kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch
diff --git a/controller/specialized/aigateway_controller_rbac.go b/controller/specialized/aigateway_controller_rbac.go
@@ -1,17 +1,13 @@
 package specialized
 
 //+kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=aigateways,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=aigateways/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=aigateways/status,verbs=update;patch
 //+kubebuilder:rbac:groups=gateway-operator.konghq.com,resources=aigateways/finalizers,verbs=update
 
 //+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongplugins,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=configuration.konghq.com,resources=kongplugins/status,verbs=get
 
 //+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways/status,verbs=get
 
 //+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=httproutes/status,verbs=get
 
 //+kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=core,resources=services/status,verbs=get