To follow industry standard security best practices for least privileges, we should lock down the controller to only have access to the resources it manages by name. This would look something like this:
Move the kubebuilder markers from each controllers .go file onto the actual resources. This tells us exactly which resources generated a specific piece of RBAC.
Create a constant with the metadata.name of the resource as an exported value. This allows us to use the value across packages. We must ensure this name is unique.
If the name field has a marker (e.g. parent.Spec.MyName), then we must fall back to not using the resourceNames logic as the name is variable and unpredicatable. A resource marker with a variable name would look something like this:
To follow industry standard security best practices for least privileges, we should lock down the controller to only have access to the resources it manages by name. This would look something like this:
This will include a couple other changes as well:
.go
file onto the actual resources. This tells us exactly which resources generated a specific piece of RBAC.parent.Spec.MyName
), then we must fall back to not using theresourceNames
logic as the name is variable and unpredicatable. A resource marker with a variable name would look something like this: