diff --git a/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml b/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml index 1e1bc011..d952e82e 100644 --- a/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml +++ b/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml @@ -36,9 +36,41 @@ metadata: labels: {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} rules: - - apiGroups: ["*"] - resources: ["*"] - verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["endpoints", "namespaces", "persistentvolumeclaims", "persistentvolumes", "pods", "serviceaccounts", "services", "nodes"] + verbs: ["list"] + - apiGroups: ["apps"] + resources: ["controllerrevisions", "daemonsets", "deployments","replicasets", "statefulsets"] + verbs: ["list"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterrolebindings","clusterroles","rolebindings", "roles"] + verbs: ["list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["list"] + - apiGroups: ["batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingressclasses", "ingresses", "networkpolicies"] + verbs: ["list"] + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["list"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["list"] + - apiGroups: ["networking.istio.io"] + resources: ["gateways","virtualservices"] + verbs: ["list"] + {{- if .Values.clusterReader.enableListSecret }} + - apiGroups: [""] + resources: ["secrets"] + verbs: ["list"] + {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/wiz-kubernetes-connector/values.yaml b/wiz-kubernetes-connector/values.yaml index 20826c2f..5478a014 100644 --- a/wiz-kubernetes-connector/values.yaml +++ b/wiz-kubernetes-connector/values.yaml @@ -15,6 +15,7 @@ image: clusterReader: installRbac: true + enableListSecret: true serviceAccount: create: true # Annotations to add to the service account