From e962e923360ac8645067ba85284f4bd0a64eda1e Mon Sep 17 00:00:00 2001
From: Isabella Janssen <ijanssen@redhat.com>
Date: Tue, 5 May 2026 15:37:10 +0000
Subject: [PATCH] mcc: replace wildcard permissions with explicit verbs and
 resources in MCC ClusterRole & scope configmap access to target namespace via
 Role instead of ClusterRole

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../machineconfigcontroller/clusterrole.yaml  | 39 ++++++++-----------
 .../configmaps-role-target.yaml               |  9 +++++
 .../configmaps-rolebinding-target.yaml        | 13 +++++++
 pkg/operator/sync.go                          |  4 ++
 4 files changed, 42 insertions(+), 23 deletions(-)
 create mode 100644 manifests/machineconfigcontroller/configmaps-role-target.yaml
 create mode 100644 manifests/machineconfigcontroller/configmaps-rolebinding-target.yaml

diff --git a/manifests/machineconfigcontroller/clusterrole.yaml b/manifests/machineconfigcontroller/clusterrole.yaml
index b06fd4bda5..01229d378d 100644
--- a/manifests/machineconfigcontroller/clusterrole.yaml
+++ b/manifests/machineconfigcontroller/clusterrole.yaml
@@ -7,22 +7,22 @@ rules:
   resources: ["nodes"]
   verbs: ["get", "list", "watch", "patch", "update"]
 - apiGroups: ["machineconfiguration.openshift.io"]
-  resources: ["*"]
-  verbs: ["*"]
+  resources: ["machineconfigs", "machineconfigs/status", "machineconfigpools", "machineconfigpools/status", "controllerconfigs", "controllerconfigs/status", "kubeletconfigs", "kubeletconfigs/status", "containerruntimeconfigs", "containerruntimeconfigs/status", "machineconfignodes", "machineconfignodes/status", "internalreleaseimages", "internalreleaseimages/status", "pinnedimagesets", "osimagestreams", "machineosconfigs", "machineosconfigs/status", "machineosbuilds", "machineosbuilds/status"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["machineconfiguration.openshift.io"]
+  resources: ["controllerconfigs/finalizers", "kubeletconfigs/finalizers", "containerruntimeconfigs/finalizers", "machineconfigpools/finalizers", "internalreleaseimages/finalizers", "machineosconfigs/finalizers", "machineosbuilds/finalizers"]
+  verbs: ["update"]
 - apiGroups: [""]
-  resources: ["configmaps", "secrets"]
-  verbs: ["*"]
-- apiGroups: ["config.openshift.io"]
-  resources: ["images", "clusterversions", "featuregates", "nodes", "nodes/status", "imagepolicies/status", "criocredentialproviderconfigs/status"]
-  verbs: ["*"]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch", "create", "update", "delete"]
 - apiGroups: ["config.openshift.io"]
-  resources: ["schedulers", "apiservers", "infrastructures", "imagedigestmirrorsets", "imagetagmirrorsets", "clusterimagepolicies", "imagepolicies", "criocredentialproviderconfigs"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["operator.openshift.io"]
-  resources: ["imagecontentsourcepolicies"]
+  resources: ["images", "clusterversions", "featuregates", "nodes", "schedulers", "apiservers", "infrastructures", "imagedigestmirrorsets", "imagetagmirrorsets", "clusterimagepolicies", "imagepolicies", "criocredentialproviderconfigs"]
   verbs: ["get", "list", "watch"]
+- apiGroups: ["config.openshift.io"]
+  resources: ["imagepolicies/status", "criocredentialproviderconfigs/status"]
+  verbs: ["get", "list", "watch", "update"]
 - apiGroups: ["operator.openshift.io"]
-  resources: ["etcds"]
+  resources: ["imagecontentsourcepolicies", "etcds", "machineconfigurations"]
   verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources: ["pods/eviction"]
@@ -41,16 +41,7 @@ rules:
   verbs: ["get", "list", "watch", "patch"]
 - apiGroups: ["operator.openshift.io"]
   resources: ["machineconfigurations/status"]
-  verbs: ["*"]
-- apiGroups: ["operator.openshift.io"]
-  resources: ["machineconfigurations"]
-  verbs: ["get","list","watch"]
-- apiGroups: ["machineconfiguration.openshift.io"]
-  resources: ["machineosconfigs", "machineosconfigs/status"]
-  verbs: ["create", "update", "patch", "get"]
-- apiGroups: ["machineconfiguration.openshift.io"]
-  resources: ["machineosbuilds", "machineosbuilds/status"]
-  verbs: ["create", "update", "patch", "get"]
+  verbs: ["get", "update"]
 - apiGroups: ["aro.openshift.io"]
   resources: ["clusters"]
   verbs: ["get"]  
@@ -72,4 +63,6 @@ rules:
   resources:
   - leases
   verbs:
-  - "*"
+  - create
+  - get
+  - update
diff --git a/manifests/machineconfigcontroller/configmaps-role-target.yaml b/manifests/machineconfigcontroller/configmaps-role-target.yaml
new file mode 100644
index 0000000000..e3ed626c9c
--- /dev/null
+++ b/manifests/machineconfigcontroller/configmaps-role-target.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: machine-config-controller-configmaps
+  namespace: {{.TargetNamespace}}
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch", "create", "update", "delete"]
diff --git a/manifests/machineconfigcontroller/configmaps-rolebinding-target.yaml b/manifests/machineconfigcontroller/configmaps-rolebinding-target.yaml
new file mode 100644
index 0000000000..01d21e6777
--- /dev/null
+++ b/manifests/machineconfigcontroller/configmaps-rolebinding-target.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: machine-config-controller-configmaps
+  namespace: {{.TargetNamespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: machine-config-controller-configmaps
+subjects:
+- kind: ServiceAccount
+  namespace: {{.TargetNamespace}}
+  name: machine-config-controller
diff --git a/pkg/operator/sync.go b/pkg/operator/sync.go
index 354bb1f22c..5eeda92e0c 100644
--- a/pkg/operator/sync.go
+++ b/pkg/operator/sync.go
@@ -94,6 +94,8 @@ const (
 	mccEventsClusterRoleManifestPath                                      = "manifests/machineconfigcontroller/events-clusterrole.yaml"
 	mccEventsRoleBindingDefaultManifestPath                               = "manifests/machineconfigcontroller/events-rolebinding-default.yaml"
 	mccEventsRoleBindingTargetManifestPath                                = "manifests/machineconfigcontroller/events-rolebinding-target.yaml"
+	mccConfigMapsRoleTargetManifestPath                                   = "manifests/machineconfigcontroller/configmaps-role-target.yaml"
+	mccConfigMapsRoleBindingTargetManifestPath                            = "manifests/machineconfigcontroller/configmaps-rolebinding-target.yaml"
 	mccClusterRoleBindingManifestPath                                     = "manifests/machineconfigcontroller/clusterrolebinding.yaml"
 	mccServiceAccountManifestPath                                         = "manifests/machineconfigcontroller/sa.yaml"
 	mccKubeRbacProxyConfigMapPath                                         = "manifests/machineconfigcontroller/kube-rbac-proxy-config.yaml"
@@ -1185,11 +1187,13 @@ func (optr *Operator) syncMachineConfigController(config *renderConfig, _ *confi
 		},
 		roles: []string{
 			mccKubeRbacProxyPrometheusRolePath,
+			mccConfigMapsRoleTargetManifestPath,
 		},
 		roleBindings: []string{
 			mccEventsRoleBindingDefaultManifestPath,
 			mccEventsRoleBindingTargetManifestPath,
 			mccKubeRbacProxyPrometheusRoleBindingPath,
+			mccConfigMapsRoleBindingTargetManifestPath,
 			mopRoleBindingManifestPath,
 		},
 		clusterRoleBindings: []string{