From bbbafe91482c69ad8822389f51824c799577e87d Mon Sep 17 00:00:00 2001
From: Javier Cano Cano <jcanocan@redhat.com>
Date: Thu, 7 Sep 2023 16:16:06 +0200
Subject: [PATCH] rbac: Audit `*` verbs from kubevirt-tekton-tasks

It drops `*` verbs of tekton tasks. For this purpose, the process
followed is:

* Drop all tekton tasks permissions using `*` verbs.
* Run unit tests.
* Add required permissions.
* Run functional tests.
* Add required permissions.

This process ensures that only strictly required permissions are added.
Fix: https://bugzilla.redhat.com/show_bug.cgi?id=2223775

Signed-off-by: Javier Cano Cano <jcanocan@redhat.com>
---
 config/rbac/role.yaml                         | 32 +++++++------------
 .../ssp-operator.clusterserviceversion.yaml   | 32 +++++++------------
 internal/operands/tekton-tasks/reconcile.go   | 10 +++---
 3 files changed, 29 insertions(+), 45 deletions(-)

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index ba803b9a8..50a07e654 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -34,24 +34,6 @@ rules:
   - delete
   - list
   - watch
-- apiGroups:
-  - '*'
-  resources:
-  - persistentvolumeclaims
-  verbs:
-  - '*'
-- apiGroups:
-  - '*'
-  resources:
-  - pods
-  verbs:
-  - create
-- apiGroups:
-  - '*'
-  resources:
-  - secrets
-  verbs:
-  - '*'
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
@@ -132,7 +114,6 @@ rules:
   resources:
   - datavolumes
   verbs:
-  - '*'
   - create
   - delete
   - get
@@ -208,9 +189,20 @@ rules:
   resources:
   - pods
   verbs:
+  - create
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
 - apiGroups:
   - ""
   resources:
@@ -285,7 +277,7 @@ rules:
   resources:
   - virtualmachines/finalizers
   verbs:
-  - '*'
+  - get
 - apiGroups:
   - monitoring.coreos.com
   resources:
diff --git a/data/olm-catalog/ssp-operator.clusterserviceversion.yaml b/data/olm-catalog/ssp-operator.clusterserviceversion.yaml
index 533b27720..27c7b8be6 100644
--- a/data/olm-catalog/ssp-operator.clusterserviceversion.yaml
+++ b/data/olm-catalog/ssp-operator.clusterserviceversion.yaml
@@ -92,24 +92,6 @@ spec:
           - delete
           - list
           - watch
-        - apiGroups:
-          - '*'
-          resources:
-          - persistentvolumeclaims
-          verbs:
-          - '*'
-        - apiGroups:
-          - '*'
-          resources:
-          - pods
-          verbs:
-          - create
-        - apiGroups:
-          - '*'
-          resources:
-          - secrets
-          verbs:
-          - '*'
         - apiGroups:
           - admissionregistration.k8s.io
           resources:
@@ -190,7 +172,6 @@ spec:
           resources:
           - datavolumes
           verbs:
-          - '*'
           - create
           - delete
           - get
@@ -266,9 +247,20 @@ spec:
           resources:
           - pods
           verbs:
+          - create
           - get
           - list
           - watch
+        - apiGroups:
+          - ""
+          resources:
+          - secrets
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
         - apiGroups:
           - ""
           resources:
@@ -343,7 +335,7 @@ spec:
           resources:
           - virtualmachines/finalizers
           verbs:
-          - '*'
+          - get
         - apiGroups:
           - monitoring.coreos.com
           resources:
diff --git a/internal/operands/tekton-tasks/reconcile.go b/internal/operands/tekton-tasks/reconcile.go
index 1ac48444b..6ae11e24b 100644
--- a/internal/operands/tekton-tasks/reconcile.go
+++ b/internal/operands/tekton-tasks/reconcile.go
@@ -21,12 +21,12 @@ import (
 // +kubebuilder:rbac:groups=subresources.kubevirt.io,resources=virtualmachines/restart;virtualmachines/start;virtualmachines/stop,verbs=update
 // +kubebuilder:rbac:groups=template.openshift.io,resources=templates,verbs=get;list;watch;create;patch;update;delete
 // +kubebuilder:rbac:groups=template.openshift.io,resources=processedtemplates,verbs=create
-// +kubebuilder:rbac:groups=cdi.kubevirt.io,resources=datavolumes,verbs=*
+// +kubebuilder:rbac:groups=cdi.kubevirt.io,resources=datavolumes,verbs=get;create;delete
 // +kubebuilder:rbac:groups=cdi.kubevirt.io,resources=datasources,verbs=get;create;delete
-// +kubebuilder:rbac:groups=kubevirt.io,resources=virtualmachines/finalizers,verbs=*
-// +kubebuilder:rbac:groups=*,resources=persistentvolumeclaims,verbs=*
-// +kubebuilder:rbac:groups=*,resources=pods,verbs=create
-// +kubebuilder:rbac:groups=*,resources=secrets,verbs=*
+// +kubebuilder:rbac:groups=kubevirt.io,resources=virtualmachines/finalizers,verbs=get
+// +kubebuilder:rbac:groups=core,resources=persistentvolumeclaims,verbs=get;update;delete
+// +kubebuilder:rbac:groups=core,resources=pods,verbs=create
+// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;create;patch;delete
 
 const (
 	operandName      = "tekton-tasks"