From a2a7ae3e234219350b1a47b6c22a5603d735ce9f Mon Sep 17 00:00:00 2001 From: Flegma Date: Thu, 2 Apr 2026 14:28:08 +0200 Subject: [PATCH 1/2] fix: scope RBAC permissions and remove unused /dev/mem mount MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit API ClusterRole: - Removed namespaced resources (PVCs, jobs, pods, deployments) — these are already in the namespaced Role or moved there - Kept only cluster-scoped resources: nodes (patch for labeling) and PVs (read-only) - PV permissions reduced from create/delete to read-only API Role (namespaced): - Added PVCs (moved from ClusterRole) - Added pods/log and jobs/status (moved from ClusterRole) DaemonSet: - Removed /dev/mem volume mount — not referenced anywhere in connector source code, unnecessary host memory access Closes #412 --- base/api/rbac/cluster-role.yaml | 38 +------------------ base/api/rbac/role.yaml | 17 +++++++++ .../game-server-node-connector/daemonset.yaml | 6 --- 3 files changed, 19 insertions(+), 42 deletions(-) diff --git a/base/api/rbac/cluster-role.yaml b/base/api/rbac/cluster-role.yaml index 8384c7b..c9937b4 100644 --- a/base/api/rbac/cluster-role.yaml +++ b/base/api/rbac/cluster-role.yaml @@ -3,6 +3,7 @@ kind: ClusterRole metadata: name: server-creator-clusterrole rules: + # Nodes are cluster-scoped — patch needed for game server node labeling - apiGroups: - '' resources: @@ -11,47 +12,12 @@ rules: - get - list - patch - - apiGroups: - - '' - resources: - - persistentvolumeclaims - verbs: - - create - - get - - list - - watch - - delete + # PVs are cluster-scoped — read-only for monitoring storage - apiGroups: - '' resources: - persistentvolumes verbs: - - create - get - list - watch - - delete - - apiGroups: - - batch - resources: - - jobs - - jobs/status - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - pods - - pods/log - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - deployments - verbs: - - patch \ No newline at end of file diff --git a/base/api/rbac/role.yaml b/base/api/rbac/role.yaml index 4336cc5..2012535 100644 --- a/base/api/rbac/role.yaml +++ b/base/api/rbac/role.yaml @@ -45,10 +45,27 @@ rules: verbs: - create - get + - apiGroups: + - '' + resources: + - pods/log + verbs: + - get + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - create + - get + - list + - watch + - delete - apiGroups: - 'batch' resources: - jobs + - jobs/status verbs: - create - get diff --git a/base/game-server-node-connector/daemonset.yaml b/base/game-server-node-connector/daemonset.yaml index abe7598..7f743c0 100644 --- a/base/game-server-node-connector/daemonset.yaml +++ b/base/game-server-node-connector/daemonset.yaml @@ -80,9 +80,6 @@ spec: - name: cpu-sys mountPath: /host-cpu readOnly: true - - name: mem-sys - mountPath: /host-mem - readOnly: true volumes: - name: server-files hostPath: @@ -114,6 +111,3 @@ spec: - name: cpu-sys hostPath: path: /sys/devices/system/cpu/ - - name: mem-sys - hostPath: - path: /dev/mem \ No newline at end of file From de02fc3ce69789ed28bba5afaa194968eea65506 Mon Sep 17 00:00:00 2001 From: Flegma Date: Thu, 2 Apr 2026 16:02:00 +0200 Subject: [PATCH 2/2] fix: add missing patch verb on deployments in Role MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit patchNamespacedDeployment requires patch verb — was in the old ClusterRole but not carried over to the namespaced Role. --- base/api/rbac/role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/base/api/rbac/role.yaml b/base/api/rbac/role.yaml index 2012535..9ad6b74 100644 --- a/base/api/rbac/role.yaml +++ b/base/api/rbac/role.yaml @@ -87,4 +87,5 @@ rules: - get - list - watch + - patch - delete \ No newline at end of file