The operator currently has a broad set of RBAC grants: https://github.com/projectcontour/contour-operator/blob/main/internal/operator/operator.go#L55-L74 These are a combination of: - permissions the Operator needs in order to create/update/delete Contour itself (e.g. CRUD on deployments, daemonsets, jobs, etc.) - transitive permissions the Operator needs in order to create Contour's ClusterRole (e.g. get/list/watch endpoints, services, etc) It'd be nice to: - Organize the kubebuilder RBAC comments based on the above two categories. This should make maintenance easier, particularly keeping the second category in sync with upstream Contour's ClusterRole / the golang definitions at https://github.com/projectcontour/contour-operator/blob/main/internal/objects/clusterrole/cluster_role.go#L64 - Audit the permissions in the first category, to ensure we're only granting what's needed.
The operator currently has a broad set of RBAC grants:
https://github.com/projectcontour/contour-operator/blob/main/internal/operator/operator.go#L55-L74
These are a combination of:
It'd be nice to: