From 1a4ade0b5c70e3486a65983c7c4178d1424ee30b Mon Sep 17 00:00:00 2001 From: Sascha Schwarze Date: Mon, 11 Dec 2023 14:55:13 +0100 Subject: [PATCH] Remove unnecessary permissions from shipwright-build-webhook --- deploy/201-role-webhook.yaml | 24 ------------------------ deploy/301-rolebinding-webhook.yaml | 14 -------------- deploy/700-deployment-webhook.yaml | 1 + 3 files changed, 1 insertion(+), 38 deletions(-) delete mode 100644 deploy/201-role-webhook.yaml delete mode 100644 deploy/301-rolebinding-webhook.yaml diff --git a/deploy/201-role-webhook.yaml b/deploy/201-role-webhook.yaml deleted file mode 100644 index b0aaff01ad..0000000000 --- a/deploy/201-role-webhook.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: shipwright-build-webhook -rules: -- apiGroups: - - "" - resources: - - pods - - events - - configmaps - - secrets - - limitranges - - namespaces - - services - verbs: - - '*' -- apiGroups: - - admissionregistration.k8s.io - - admissionregistration.k8s.io/v1beta1 - resources: - - validatingwebhookconfigurations - verbs: - - '*' diff --git a/deploy/301-rolebinding-webhook.yaml b/deploy/301-rolebinding-webhook.yaml deleted file mode 100644 index 68ae485559..0000000000 --- a/deploy/301-rolebinding-webhook.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: shipwright-build-webhook - namespace: shipwright-build -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: shipwright-build-webhook -subjects: -- kind: ServiceAccount - name: shipwright-build-webhook - namespace: shipwright-build \ No newline at end of file diff --git a/deploy/700-deployment-webhook.yaml b/deploy/700-deployment-webhook.yaml index 4138ebdfc7..821c0a1d58 100644 --- a/deploy/700-deployment-webhook.yaml +++ b/deploy/700-deployment-webhook.yaml @@ -22,6 +22,7 @@ spec: labels: name: shp-build-webhook spec: + automountServiceAccountToken: false securityContext: runAsNonRoot: true serviceAccountName: shipwright-build-webhook