From 23a1bab77e606976ec2b8e89f73fdcc5d766b1b8 Mon Sep 17 00:00:00 2001
From: Satish Kumar Matti <smatti@google.com>
Date: Fri, 5 Jun 2020 14:49:12 -0700
Subject: [PATCH] Remove unnecessary `update` permissions

This removes `update` permissions for Pod, Service and Ingress resources.
All the `update` calls are removed in Ingress-GCE in
kubernetes/ingress-gce#1125 and kubernetes/ingress-gce#1127.
---
 docs/deploy/resources/rbac.yaml | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/docs/deploy/resources/rbac.yaml b/docs/deploy/resources/rbac.yaml
index a10284628f..53637da711 100644
--- a/docs/deploy/resources/rbac.yaml
+++ b/docs/deploy/resources/rbac.yaml
@@ -37,34 +37,25 @@ metadata:
 rules:
 - apiGroups: [""]
   resources: ["secrets"]
-  verbs: ["get"]
+  verbs: ["get", "list"]
 - apiGroups: [""]
   resources: ["events"]
   verbs: ["get", "list", "watch", "update", "create", "patch"]
 - apiGroups: [""]
   resources: ["endpoints", "services", "pods", "nodes", "namespaces"]
   verbs: ["get", "list", "watch"]
-# TODO: switch to patch services/status
-# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/pkg/neg/controller.go#L339-L342
-# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/pkg/neg/controller.go#L359-L361
 - apiGroups: [""]
-  resources: ["services", "pods"]
-  verbs: ["update", "patch"]
+  resources: ["services/status"]
+  verbs: ["patch"]
 - apiGroups: ["networking.istio.io"]
   resources: ["destinationrules"]
   verbs: ["get", "list", "watch", "update", "patch"]
 - apiGroups: ["extensions", "networking.k8s.io"]
   resources: ["ingresses"]
   verbs: ["get", "list", "watch"]
-# For now, GLBC annotates ingress resources with various state and statuses: 
-# https://github.com/kubernetes/ingress-gce/blob/50d49b077d9ab4362a02fae05f94e433cd3f08dc/pkg/controller/controller.go#L579
-# TODO(rramkumar1): Remove unnecessary `update` permission once statuses are propagated through `ingresses/status`
-- apiGroups: ["extensions", "networking.k8s.io"]
-  resources: ["ingresses"]
-  verbs: ["update"]
 - apiGroups: ["extensions", "networking.k8s.io"]
   resources: ["ingresses/status"]
-  verbs: ["update"]
+  verbs: ["patch"]
 # GLBC ensures that the `cloud.google.com/backendconfigs` CRD exists in a desired state:
 # https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/cmd/glbc/main.go#L93
 # TODO(rramkumar1): https://github.com/kubernetes/ingress-gce/issues/744