feat(rbac) remove list ingresses permissions EE-1304 (#5458)

* feat(RBAC) EE-1304 list ingresses of current namespace other than all namespaces at front end side * feat(RBAC) EE-1304 remove list ingresses from clusterrole Co-authored-by: Simon Meng <simon.meng@portainer.io>
2025-07-23 07:19:41 +02:00 · 2021-09-01 09:43:11 +12:00 · 2021-09-01 09:43:11 +12:00 · 7760595f21
commit 7760595f21
parent 35013e7b6a
5 changed files with 33 additions and 30 deletions
--- a/api/kubernetes/cli/role.go
+++ b/api/kubernetes/cli/role.go
@ -18,15 +18,10 @@ func getPortainerUserDefaultPolicies() []rbacv1.PolicyRule {
 			Resources: []string{"storageclasses"},
 			APIGroups: []string{"storage.k8s.io"},
 		},
-		{
-			Verbs:     []string{"list"},
-			Resources: []string{"ingresses"},
-			APIGroups: []string{"networking.k8s.io"},
-		},
 	}
 }

-func (kcl *KubeClient) createPortainerUserClusterRole() error {
+func (kcl *KubeClient) upsertPortainerK8sClusterRoles() error {
 	clusterRole := &rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: portainerUserCRName,
@ -35,8 +30,13 @@ func (kcl *KubeClient) createPortainerUserClusterRole() error {
 	}

 	_, err := kcl.cli.RbacV1().ClusterRoles().Create(clusterRole)
-	if err != nil && !k8serrors.IsAlreadyExists(err) {
-		return err
+	if err != nil  {
+		if k8serrors.IsAlreadyExists(err) {
+			_, err = kcl.cli.RbacV1().ClusterRoles().Update(clusterRole)
+		}
+		if err != nil {
+			return err
+		}
 	}

 	return nil