From 19ad5023b87b98e764415c3dafafb333e4d935f1 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 14 Nov 2022 20:08:04 -0600
Subject: [PATCH] jenkins: Restrict role permissions

Jenkins doesn't really need full control of all resources in its
namespace.  Rather, it only needs to be able to manage Pod and
PersistentVolumeClaim resources.
---
 jenkins/jenkins.yaml | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/jenkins/jenkins.yaml b/jenkins/jenkins.yaml
index 05e1938..06bb983 100644
--- a/jenkins/jenkins.yaml
+++ b/jenkins/jenkins.yaml
@@ -2,6 +2,23 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: jenkins
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins
+  namespace: jenkins
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims
+  - pods
+  - pods/exec
+  verbs:
+  - '*'
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10,8 +27,8 @@ metadata:
   namespace: jenkins
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: edit
+  kind: Role
+  name: jenkins
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: User