fix(helm): explode verbs instead of wildcarding (#7405)

johnstcn · web-flow · commit b4d913e24ff9 · 2023-05-04T10:45:51.000Z
Updates the Helm chart role specification for Coder to explicitly list required verbs instead of requesting wildcard.
diff --git a/helm/templates/rbac.yaml b/helm/templates/rbac.yaml
@@ -7,10 +7,26 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["pods"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
   - apiGroups: [""]
     resources: ["persistentvolumeclaims"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/helm/tests/testdata/default_values.golden b/helm/tests/testdata/default_values.golden
@@ -22,10 +22,26 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["pods"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
   - apiGroups: [""]
     resources: ["persistentvolumeclaims"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
 ---
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/helm/tests/testdata/labels_annotations.golden b/helm/tests/testdata/labels_annotations.golden
@@ -22,10 +22,26 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["pods"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
   - apiGroups: [""]
     resources: ["persistentvolumeclaims"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
 ---
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/helm/tests/testdata/sa.golden b/helm/tests/testdata/sa.golden
@@ -22,10 +22,26 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["pods"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
   - apiGroups: [""]
     resources: ["persistentvolumeclaims"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
 ---
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/helm/tests/testdata/tls.golden b/helm/tests/testdata/tls.golden
@@ -22,10 +22,26 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["pods"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
   - apiGroups: [""]
     resources: ["persistentvolumeclaims"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
 ---
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
