fix: Remove permissions that don't exist

mikebryant · mikebryant · commit 96ff1e0626d0 · 2026-04-02T16:20:22.000+01:00
We're using ArgoCD Service Account Impersonation to deploy. This relies on [Privilege escalation prevention](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping) Currently I'm getting errors like: ``` clusterroles.rbac.authorization.k8s.io "shield-cluster" is forbidden: user "system:serviceaccount:security-system:argocd-deployer" (groups=["system:serviceaccounts" "system:serviceaccounts:security-system" "system:authenticated"]) is attempting to grant RBAC permissions not currently held: {APIGroups:[""], Resources:["clusterrolebindings"], Verbs:["get" "list" "watch"]} {APIGroups:[""], Resources:["clusterroles"], Verbs:["get" "list" "watch"]} {APIGroups:[""], Resources:["clusterversions"], Verbs:["get" "list" "watch"]} {APIGroups:[""], Resources:["controllerrevisions"], Verbs:["get" "list" "watch"]} {APIGroups:[""], Resources:["cronjobs"], Verbs:["get" "list" "watch" "get" "list" "watch"]} {APIGroups:[""], Resources:["daemonsets"], Verbs:["get" "list" "watch" "get" "list" "watch"]} {APIGroups:[""], Resources:["deployments"], Verbs:["get" "list" "watch" "get" "list" "watch"]} {APIGroups:[""], Resources:["horizontalpodautoscalers"], Verbs:["get" "list" "watch"]} {APIGroups:[""], Resources:["ingressclasses"], Verbs:["get" "list" "watch"]} {APIGroups:[""], Resources:["ingresses"], Verbs:["get" "list" "watch"]} {APIGroups:[""], Resources:["jobs"], Verbs:["get" "list" "watch" "get" "list" "watch"]} {APIGroups:[""], Resources:["networkpolicies"], Verbs:["get" "list" "watch"]} {APIGroups:[""], Resources:["pods"], Verbs:["delete"]} {APIGroups:[""], Resources:["podsecuritypolicies"], Verbs:["get" "list" "watch"]} {APIGroups:[""], Resources:["replicasets"], Verbs:["get" "list" "watch" "get" "list" "watch"]} {APIGroups:[""], Resources:["rolebindings"], Verbs:["get" "list" "watch"]} {APIGroups:[""], Resources:["roles"], Verbs:["get" "list" "watch"]} {APIGroups:[""], Resources:["secrets"], Verbs:["get" "list" "watch" "get" "list" "watch" "get" "get" "list" "watch"]} {APIGroups:[""], Resources:["statefulsets"], Verbs:["get" "list" "watch" "get" "list" "watch"]} {APIGroups:[""], Resources:["storageclasses"], Verbs:["get" "list" "watch"]} {APIGroups:[""], Resources:["volumeattachments"], Verbs:["get" "list" "watch"]} ...many more ``` This appears to be because the ClusterRoles are misconfigured to reference lots of permissions that do not actually exist. This PR cleans those up by using the correct api groups to reference them. In addition it removes some "*" grants, as per least-privilege best practice.
diff --git a/charts/shield/templates/cluster/clusterrole.yaml b/charts/shield/templates/cluster/clusterrole.yaml
@@ -38,72 +38,145 @@ rules:
 {{- if (include "cluster.container_vulnerability_management_enabled" .) }}
 - apiGroups:
     - ""
-    - apps
-    - batch
-    - extensions
   resources:
-    - cronjobs
-    - daemonsets
-    - deployments
-    - jobs
     - namespaces
     - nodes
     - pods
-    - replicasets
     - replicationcontrollers
     - secrets
-    - statefulsets
   verbs:
     - get
     - list
     - watch
-{{- end }}
-{{- if (include "cluster.posture_enabled" .) }}
 - apiGroups:
-    - ""
-    - rbac.authorization.k8s.io
-    - extensions
     - apps
-    - batch
-    - networking.k8s.io
-    - autoscaling
-    - policy
-    - storage.k8s.io
-    - config.openshift.io
   resources:
-    - pods
-    - pods/log
-    - namespaces
-    - deployments
     - daemonsets
+    - deployments
+    - replicasets
     - statefulsets
-    - jobs
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - batch
+  resources:
     - cronjobs
-    - clusterroles
-    - clusterrolebindings
-    - roles
-    - rolebindings
-    - services
-    - serviceaccounts
-    - nodes
-    - ingresses
-    - ingressclasses
-    - networkpolicies
-    - replicasets
+    - jobs
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - extensions
+  resources:
+  verbs:
+    - get
+    - list
+    - watch
+{{- end }}
+{{- if (include "cluster.posture_enabled" .) }}
+- apiGroups:
+    - ""
+  resources:
     - configmaps
     - events
     - limitranges
-    - persistentvolumes
+    - namespaces
+    - nodes
     - persistentvolumeclaims
+    - persistentvolumes
+    - pods
+    - pods/log
     - replicationcontrollers
     - resourcequotas
+    - secrets
+    - serviceaccounts
+    - services
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - apps
+  resources:
     - controllerrevisions
+    - daemonsets
+    - deployments
+    - replicasets
+    - statefulsets
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - autoscaling
+  resources:
     - horizontalpodautoscalers
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - batch
+  resources:
+    - cronjobs
+    - jobs
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - config.openshift.io
+  resources:
+    - clusterversions
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - extensions
+  resources:
+    - ingresses
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - networking.k8s.io
+  resources:
+    - ingresses
+    - ingressclasses
+    - networkpolicies
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - policy
+  resources:
     - podsecuritypolicies
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - rbac.authorization.k8s.io
+  resources:
+    - clusterroles
+    - clusterrolebindings
+    - roles
+    - rolebindings
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - storage.k8s.io
+  resources:
     - storageclasses
     - volumeattachments
-    - clusterversions
-    - secrets
   verbs:
     - get
     - list
diff --git a/charts/shield/templates/cluster/role.yaml b/charts/shield/templates/cluster/role.yaml
@@ -17,7 +17,15 @@ rules:
       - "leases"
     resourceNames:
       - {{ include "cluster.posture_lease_name" . }}
-    verbs: ["*"]
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
   - apiGroups: ["", "coordination.k8s.io"]
     resources:
       - "leases"
@@ -29,22 +37,38 @@ rules:
       - "leases"
     resourceNames:
       - {{ include "cluster.container_vulnerability_management_lease_name" . }}
-    verbs: ["*"]
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
   - apiGroups: ["", "coordination.k8s.io"]
     resources:
       - "leases"
     verbs: ["create"]
-  - apiGroups: ["*"]
+  - apiGroups: [""]
     resources:
       - "endpoints"
     verbs: ["get", "watch", "list"]
-  - apiGroups: ["*"]
+  - apiGroups: [""]
     resources:
       - "endpoints"
       # Following is required for OpenShift. See https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/pods_and_services.html#endpoints
       - "endpoints/restricted"
     resourceNames:
       - {{ include "cluster.container_vulnerability_management_service_name" . }}
-    verbs: ["*"]
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
   {{- end }}
 {{- end }}
