Too broad permissions granted to helm charts

[ams0]

I'm trying to narrow down the permissions needed to run helm-controller fully scoped in a namespace; but I hit a wall when I found:

E0907 17:29:05.730579       1 controller.go:117] error syncing 'helm-controller/traefik': handler helm-controller: failed to create helm-helm-controller-traefik rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding for helm-controller helm-controller/traefik: clusterrolebindings.rbac.authorization.k8s.io "helm-helm-controller-traefik" is forbidden: user "system:serviceaccount:helm-controller:helm-controller" (groups=["system:serviceaccounts" "system:serviceaccounts:helm-controller" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:

this is due to this line: https://github.com/rancher/helm-controller/blob/3e223ca9dc94607ea9b7deb7f632551230c4db32/pkg/helm/controller.go#L271

which wants to grant cluster-admin to every chart. This should rather be a namespaced Role, you agree?

[clook]

Hi @ams0, this is indeed a Cluster role, but it is actually bound to a single namespace scope because referenced by a RoleBinding and not a ClusterRoleBinding. Is it an issue for you?