From bc400b47a2f79592a6440fddf90a2739d15f4c2e Mon Sep 17 00:00:00 2001
From: Tariq Ibrahim <tibrahim@nvidia.com>
Date: Wed, 5 Jun 2024 18:34:35 -0700
Subject: [PATCH] [RBAC] Remove unnecessary permissions from the gpu-operator
 app

Signed-off-by: Tariq Ibrahim <tibrahim@nvidia.com>
---
 .../templates/{role.yaml => clusterrole.yaml} | 65 +++++++++++++++----
 ...lebinding.yaml => clusterrolebinding.yaml} |  0
 2 files changed, 52 insertions(+), 13 deletions(-)
 rename deployments/gpu-operator/templates/{role.yaml => clusterrole.yaml} (79%)
 rename deployments/gpu-operator/templates/{rolebinding.yaml => clusterrolebinding.yaml} (100%)

diff --git a/deployments/gpu-operator/templates/role.yaml b/deployments/gpu-operator/templates/clusterrole.yaml
similarity index 79%
rename from deployments/gpu-operator/templates/role.yaml
rename to deployments/gpu-operator/templates/clusterrole.yaml
index ef65b1af6..fc1275b88 100644
--- a/deployments/gpu-operator/templates/role.yaml
+++ b/deployments/gpu-operator/templates/clusterrole.yaml
@@ -20,21 +20,40 @@ rules:
   - clusterroles
   - clusterrolebindings
   verbs:
-  - '*'
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
 - apiGroups:
   - ""
   resources:
   - pods
   - services
-  - endpoints
-  - persistentvolumeclaims
   - events
   - configmaps
   - secrets
   - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
   - nodes
   verbs:
-  - '*'
+  - get
+  - list
+  - watch
+  - update
+  - patch
 - apiGroups:
   - ""
   resources:
@@ -51,18 +70,22 @@ rules:
   resources:
   - deployments
   - daemonsets
-  - replicasets
-  - statefulsets
   verbs:
-  - '*'
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
 - apiGroups:
   - apps
   resources:
   - controllerrevisions
   verbs:
-  - 'get'
-  - 'list'
-  - 'watch'
+  - get
+  - list
+  - watch
 - apiGroups:
   - monitoring.coreos.com
   resources:
@@ -78,9 +101,19 @@ rules:
 - apiGroups:
   - nvidia.com
   resources:
-  - '*'
+  - clusterpolicies
+  - clusterpolicies/status
+  - nvidiadrivers
+  - nvidiadrivers/status
   verbs:
-  - '*'
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+  - deletecollection
 - apiGroups:
   - scheduling.k8s.io
   resources:
@@ -95,7 +128,13 @@ rules:
   resources:
   - securitycontextconstraints
   verbs:
-  - '*'
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
 - apiGroups:
   - config.openshift.io
   resources:
diff --git a/deployments/gpu-operator/templates/rolebinding.yaml b/deployments/gpu-operator/templates/clusterrolebinding.yaml
similarity index 100%
rename from deployments/gpu-operator/templates/rolebinding.yaml
rename to deployments/gpu-operator/templates/clusterrolebinding.yaml