From d3f10a2a0f68d8c1a89c6b98034fcf9cdb90a434 Mon Sep 17 00:00:00 2001
From: "weiwei.danny" <weiwei.danny@bytedance.com>
Date: Thu, 1 Aug 2024 18:32:57 +0800
Subject: [PATCH] Tighten the RBAC permission of manager

---
 config/k8s-resource/rbac/manager-clusterrole.yaml     | 11 +++++++++--
 .../varmor/templates/rbac/manager-clusterrole.yaml    |  9 ++++++++-
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/config/k8s-resource/rbac/manager-clusterrole.yaml b/config/k8s-resource/rbac/manager-clusterrole.yaml
index c10d2aa..ae67437 100644
--- a/config/k8s-resource/rbac/manager-clusterrole.yaml
+++ b/config/k8s-resource/rbac/manager-clusterrole.yaml
@@ -100,12 +100,19 @@ rules:
   - mutatingwebhookconfigurations
   verbs:
   - create
-  - delete
   - list
   - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - delete
+  resourceNames:
+  - varmor-resource-mutating-webhook-cfg-debug
 - apiGroups:
   - authentication.k8s.io
   resources:
   - tokenreviews
   verbs:
-  - create
\ No newline at end of file
+  - create
diff --git a/manifests/varmor/templates/rbac/manager-clusterrole.yaml b/manifests/varmor/templates/rbac/manager-clusterrole.yaml
index 6670a3b..d2f079c 100644
--- a/manifests/varmor/templates/rbac/manager-clusterrole.yaml
+++ b/manifests/varmor/templates/rbac/manager-clusterrole.yaml
@@ -98,9 +98,16 @@ rules:
   - mutatingwebhookconfigurations
   verbs:
   - create
-  - delete
   - list
   - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - delete
+  resourceNames:
+  - varmor-resource-mutating-webhook-cfg
 - apiGroups:
   - authentication.k8s.io
   resources: