fix(helm): explode verbs instead of wildcarding (#7405)

Updates the Helm chart role specification for Coder to explicitly list required verbs instead of requesting wildcard.
2025-07-13 21:36:50 +00:00 · 2023-05-04 11:45:51 +01:00
parent b3689c8f64
commit b4d913e24f
5 changed files with 90 additions and 10 deletions
--- a/helm/templates/rbac.yaml
+++ b/helm/templates/rbac.yaml
@ -7,10 +7,26 @@ metadata:
 rules:
  - apiGroups: [""]
    resources: ["pods"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch

 ---
 apiVersion: rbac.authorization.k8s.io/v1
--- a/helm/tests/testdata/default_values.golden
+++ b/helm/tests/testdata/default_values.golden
@ -22,10 +22,26 @@ metadata:
 rules:
  - apiGroups: [""]
    resources: ["pods"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
 ---
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
--- a/helm/tests/testdata/labels_annotations.golden
+++ b/helm/tests/testdata/labels_annotations.golden
@ -22,10 +22,26 @@ metadata:
 rules:
  - apiGroups: [""]
    resources: ["pods"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
 ---
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
--- a/helm/tests/testdata/sa.golden
+++ b/helm/tests/testdata/sa.golden
@ -22,10 +22,26 @@ metadata:
 rules:
  - apiGroups: [""]
    resources: ["pods"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
 ---
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
--- a/helm/tests/testdata/tls.golden
+++ b/helm/tests/testdata/tls.golden
@ -22,10 +22,26 @@ metadata:
 rules:
  - apiGroups: [""]
    resources: ["pods"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
-    verbs: ["*"]
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
 ---
 # Source: coder/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1