Delete unnecessary k8s resource access permissions

loxilb-io · Oct 29, 2024 · 94f3cab · 94f3cab
1 parent dc5130b
commit 94f3cab
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 139 deletions.
diff --git a/managers/ingress.go b/managers/ingress.go
@@ -68,7 +68,7 @@ func (r *LoxilbIngressReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 	}
 
 	ingress := &netv1.Ingress{}
-	err = r.Client.Get(ctx, req.NamespacedName, ingress)
+	err = r.Get(ctx, req.NamespacedName, ingress)
 	if err != nil {
 		// Ingress is deleted.
 		if errors.IsNotFound(err) {
@@ -186,7 +186,7 @@ func (r *LoxilbIngressReconciler) createLoxiLoadBalancerEndpoints(ctx context.Co
 	}
 
 	ep := &corev1.Endpoints{}
-	if err := r.Client.Get(ctx, key, ep); err != nil {
+	if err := r.Get(ctx, key, ep); err != nil {
 		return loxilbEpList, err
 	}
 
@@ -285,7 +285,7 @@ func (r *LoxilbIngressReconciler) updateIngressStatus(ctx context.Context, ingre
 	}
 
 	svc := &corev1.Service{}
-	if err := r.Client.Get(ctx, lbSvcKey, svc); err != nil {
+	if err := r.Get(ctx, lbSvcKey, svc); err != nil {
 		return err
 	}
 
@@ -310,7 +310,7 @@ func (r *LoxilbIngressReconciler) updateIngressStatus(ctx context.Context, ingre
 		ingress.Status.LoadBalancer.Ingress = append(ingress.Status.LoadBalancer.Ingress, newIngressLoadBalancerIngress)
 	}
 
-	return r.Client.Status().Update(ctx, ingress)
+	return r.Status().Update(ctx, ingress)
 }
 
 func (r *LoxilbIngressReconciler) checkIngressLoadBalancerIngressExist(ingress *netv1.Ingress, serviceIngress corev1.LoadBalancerIngress) bool {

diff --git a/manifests/loxilb-ingress-deploy.yml b/manifests/loxilb-ingress-deploy.yml
@@ -15,106 +15,6 @@ metadata:
   name: loxilb-ingress
   namespace: kube-system
 ---
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: loxilb-ingress
-  namespace: kube-system
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - get
-      - watch
-      - list
-      - patch
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-    verbs:
-      - get
-      - watch
-      - list
-      - patch
-  - apiGroups:
-      - ""
-    resources:
-      - endpoints
-      - services
-      - services/status
-    verbs:
-      - get
-      - watch
-      - list
-      - patch
-      - update
-  - apiGroups:
-      - discovery.k8s.io
-    resources:
-      - endpointslices
-    verbs:
-      - get
-      - watch
-      - list
-  - apiGroups:
-      - authentication.k8s.io
-    resources:
-      - tokenreviews
-    verbs:
-      - create
-  - apiGroups:
-      - authorization.k8s.io
-    resources:
-      - subjectaccessreviews
-    verbs:
-      - create
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - coordination.k8s.io
-    resources:
-      - leases
-    verbs:
-      - create
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-  - apiGroups:
-      - discovery.k8s.io
-    resources:
-      - endpointslices
-    verbs:
-      - list
-      - watch
-      - get
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -123,18 +23,6 @@ metadata:
     app.kubernetes.io/name: loxilb-ingress
   name: loxilb-ingress
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - endpoints
-  - nodes
-  - pods
-  - secrets
-  - namespaces
-  verbs:
-  - list
-  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:
@@ -145,12 +33,7 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - nodes
-  verbs:
-  - get
-- apiGroups:
-  - ""
-  resources:
+  - endpoints
   - services
   verbs:
   - get
@@ -196,23 +79,6 @@ rules:
   - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/instance: loxilb-ingress
-    app.kubernetes.io/name: loxilb-ingress
-  name: loxilb-ingress
-  namespace: kube-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: loxilb-ingress
-subjects:
-- kind: ServiceAccount
-  name: loxilb-ingress
-  namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels: