From 5da977db8a4ec0563d3e0475f6f6e757c6f24596 Mon Sep 17 00:00:00 2001
From: Marcel Lauhoff <marcel.lauhoff@suse.com>
Date: Tue, 8 Nov 2022 19:47:37 +0100
Subject: [PATCH] deploy: Remove unnecessary RBAC permissions

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
---
 deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml  | 10 ----------
 deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml |  2 +-
 2 files changed, 1 insertion(+), 11 deletions(-)

diff --git a/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml b/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml
index 48edb4599..c1833d044 100644
--- a/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml
+++ b/deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml
@@ -10,10 +10,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-csi-nodeplugin
 rules:
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get"]
-  # allow to read Vault Token and connection options from the Tenants namespace
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get"]
@@ -23,12 +19,6 @@ rules:
   - apiGroups: [""]
     resources: ["serviceaccounts"]
     verbs: ["get"]
-  - apiGroups: [""]
-    resources: ["persistentvolumes"]
-    verbs: ["get"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["volumeattachments"]
-    verbs: ["list", "get"]
   - apiGroups: [""]
     resources: ["serviceaccounts/token"]
     verbs: ["create"]
diff --git a/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml b/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml
index 045bb1fe4..945e95605 100644
--- a/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml
+++ b/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml
@@ -83,7 +83,7 @@ metadata:
 rules:
   - apiGroups: [""]
     resources: ["configmaps"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch"]
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["get", "watch", "list", "delete", "update", "create"]