Principle of least privilege should be applied in operator (Cluster)Roles

**Describe the bug**
Today the operator is by default granted all permissions on all resources clusterwide by a [blanket ClusterRole](https://github.com/knative/serving-operator/blob/master/config/role.yaml#L60)

**Expected behavior**
Only specifically those permissions which are necessary in order to create a functional Knative serving setup should be added, using [escalate and/or bind](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping) to create roles or rolebindings that the operator itself does not need explicitly, but which are needed transitively by knative serving.

**To Reproduce**
1. Install Knative Serving Operator.
1. kubectl describe clusterrole knative-serving-operator
```
Name:         knative-serving-operator
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"knative-serving-operator"},"rules":...
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  *.*        []                 []              [*]
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Principle of least privilege should be applied in operator (Cluster)Roles #282

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Principle of least privilege should be applied in operator (Cluster)Roles #282

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions