Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
This is not a problem but an improvement for LEAST PRIVILAGED access. We believe that providing too much access for admissionregistration.k8s.io to ALL resources is bad practice.
Describe the solution you'd like
A clear and concise description of what you want to happen.
Restrict rules access for the injector-clusterrole in the following template file: charts/vault/templates/injector-clusterrole.yaml:
Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] This is not a problem but an improvement for LEAST PRIVILAGED access. We believe that providing too much access for admissionregistration.k8s.io to ALL resources is bad practice.
Describe the solution you'd like A clear and concise description of what you want to happen.
Restrict rules access for the injector-clusterrole in the following template file: charts/vault/templates/injector-clusterrole.yaml:
Original/current code:
rules:
apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs:
"get"
"list"
"watch"
"patch"
NEW proposed code: (remove patch from all resources and specify it to only to the vault-agent-injector-cfg resource):
apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs:
"get"
"list"
"watch"
apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
resourceNames:
verbs:
Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.
Additional context Add any other context or screenshots about the feature request here.