From 87679f16b36d76ad52bbc36196692d37c4175650 Mon Sep 17 00:00:00 2001 From: Ben Hardill Date: Fri, 22 May 2026 11:02:55 +0100 Subject: [PATCH 1/2] Move to Role from ClusterRole fixes FlowFuse/flowfuse#7235 This reduces the scope of the permissions granted to the Forge app to just the ProjectNamespace --- helm/flowfuse/templates/service-account.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/helm/flowfuse/templates/service-account.yaml b/helm/flowfuse/templates/service-account.yaml index 19712029..06ac0e12 100644 --- a/helm/flowfuse/templates/service-account.yaml +++ b/helm/flowfuse/templates/service-account.yaml @@ -30,11 +30,11 @@ metadata: {{- end }} --- - apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: {{ ((.Values.forge).clusterRole).name | default "create-pod" }} + namespace: {{ .Values.forge.projectNamespace | default "flowforge" }} labels: {{- include "forge.labels" . | nindent 4 }} rules: @@ -72,6 +72,6 @@ subjects: name: flowforge namespace: {{ .Release.Namespace }} roleRef: - kind: ClusterRole + kind: Role name: {{ ((.Values.forge).clusterRole).name | default "create-pod" }} apiGroup: rbac.authorization.k8s.io From d6b29c44ecb563326e43cb2b7f7b04b933998319 Mon Sep 17 00:00:00 2001 From: Ben Hardill Date: Fri, 22 May 2026 11:13:52 +0100 Subject: [PATCH 2/2] rename RoleBinding to allow modification of reference --- helm/flowfuse/templates/service-account.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/flowfuse/templates/service-account.yaml b/helm/flowfuse/templates/service-account.yaml index 06ac0e12..e97cb2bb 100644 --- a/helm/flowfuse/templates/service-account.yaml +++ b/helm/flowfuse/templates/service-account.yaml @@ -63,7 +63,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ ((.Values.forge).clusterRole).name | default "create-pod" }} + name: {{ ((.Values.forge).clusterRole).name | default "create-pod-limited" }} namespace: {{ .Values.forge.projectNamespace }} labels: {{- include "forge.labels" . | nindent 4 }}