From 3dee6578691cd9a41d78587f104f223336f452c1 Mon Sep 17 00:00:00 2001
From: Avo Sepp <68659218+avo-sepp@users.noreply.github.com>
Date: Thu, 21 Mar 2024 10:52:14 -0400
Subject: [PATCH] ClusterReader Fine Grained Access Control

ClusterReader RBAC Role should provide minimal permissions.
Also enable end-users to decide via Values whether to enable
verb list on k8s secrets.
---
 .../service-account-cluster-reader.yaml       | 38 +++++++++++++++++--
 wiz-kubernetes-connector/values.yaml          |  1 +
 2 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml b/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml
index 1e1bc011..d952e82e 100644
--- a/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml
+++ b/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml
@@ -36,9 +36,41 @@ metadata:
   labels:
     {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }}
 rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["endpoints", "namespaces", "persistentvolumeclaims", "persistentvolumes", "pods", "serviceaccounts", "services", "nodes"]
+    verbs: ["list"]
+  - apiGroups: ["apps"]
+    resources: ["controllerrevisions", "daemonsets", "deployments","replicasets", "statefulsets"]
+    verbs: ["list"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["clusterrolebindings","clusterroles","rolebindings", "roles"]
+    verbs: ["list"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["list"]
+  - apiGroups: ["batch"]
+    resources: ["cronjobs", "jobs"]
+    verbs: ["list"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingressclasses", "ingresses", "networkpolicies"]
+    verbs: ["list"]
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["list"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["list"]
+  - apiGroups: ["networking.istio.io"]
+    resources: ["gateways","virtualservices"]
+    verbs: ["list"]
+  {{- if .Values.clusterReader.enableListSecret }}
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["list"]
+  {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/wiz-kubernetes-connector/values.yaml b/wiz-kubernetes-connector/values.yaml
index 20826c2f..5478a014 100644
--- a/wiz-kubernetes-connector/values.yaml
+++ b/wiz-kubernetes-connector/values.yaml
@@ -15,6 +15,7 @@ image:
 
 clusterReader:
   installRbac: true
+  enableListSecret: true
   serviceAccount:
     create: true
     # Annotations to add to the service account