Remove list/watch secrets permission from the manager cluster role. (#2276)

2025-12-10 19:50:30 +00:00 · 2023-03-14 09:23:14 -04:00
parent 19d30dea5f
commit 2bf83d0d7f
4 changed files with 13 additions and 11 deletions
--- a/main.go
+++ b/main.go
@@ -32,10 +32,12 @@ import (
 	"github.com/actions/actions-runner-controller/github/actions"
 	"github.com/actions/actions-runner-controller/logging"
 	"github.com/kelseyhightower/envconfig"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	// +kubebuilder:scaffold:imports
 )

@@ -160,6 +162,10 @@ func main() {
 		Port:               port,
 		SyncPeriod:         &syncPeriod,
 		Namespace:          namespace,
+		ClientDisableCacheFor: []client.Object{
+			&corev1.Secret{},
+			&corev1.ConfigMap{},
+		},
 	})
 	if err != nil {
 		log.Error(err, "unable to start manager")