From 7d21ad238b543cfa98628693decce21b69bd3088 Mon Sep 17 00:00:00 2001
From: lokielse <lokielse@gmail.com>
Date: Mon, 17 Nov 2025 14:04:50 +0800
Subject: [PATCH 1/2] restrict permissions for clusterrole and
 clusterrolebinding to specific resources

Signed-off-by: lokielse <lokielse@gmail.com>
---
 .../gpu-operator/templates/clusterrole.yaml   | 23 ++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/deployments/gpu-operator/templates/clusterrole.yaml b/deployments/gpu-operator/templates/clusterrole.yaml
index 2af291e22..b4c6da131 100644
--- a/deployments/gpu-operator/templates/clusterrole.yaml
+++ b/deployments/gpu-operator/templates/clusterrole.yaml
@@ -43,12 +43,33 @@ rules:
   - clusterrolebindings
   verbs:
   - create
-  - get
   - list
   - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterroles
+  - clusterrolebindings
+  verbs:
+  - get
   - update
   - patch
   - delete
+  resourceNames:
+  - nvidia-cc-manager
+  - nvidia-device-plugin
+  - nvidia-device-plugin-mps-control-daemon
+  - nvidia-driver
+  - nvidia-gpu-feature-discovery
+  - nvidia-kata-manager
+  - nvidia-mig-manager
+  - nvidia-node-status-exporter
+  - nvidia-operator-validator
+  - nvidia-sandbox-device-plugin
+  - nvidia-sandbox-validator
+  - nvidia-vfio-manager
+  - nvidia-vgpu-device-manager
+  - nvidia-vgpu-manager
 - apiGroups:
   - ""
   resources:

From 8c2ade3c4a74158407821fbeb77fae1d30d1694c Mon Sep 17 00:00:00 2001
From: lokielse <lokielse@gmail.com>
Date: Thu, 20 Nov 2025 16:33:53 +0800
Subject: [PATCH 2/2] add 'get' permission for clusterrole and
 clusterrolebinding in clusterrole.yaml

Signed-off-by: lokielse <lokielse@gmail.com>
---
 deployments/gpu-operator/templates/clusterrole.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deployments/gpu-operator/templates/clusterrole.yaml b/deployments/gpu-operator/templates/clusterrole.yaml
index b4c6da131..4032aabff 100644
--- a/deployments/gpu-operator/templates/clusterrole.yaml
+++ b/deployments/gpu-operator/templates/clusterrole.yaml
@@ -43,6 +43,7 @@ rules:
   - clusterrolebindings
   verbs:
   - create
+  - get
   - list
   - watch
 - apiGroups:
@@ -51,7 +52,6 @@ rules:
   - clusterroles
   - clusterrolebindings
   verbs:
-  - get
   - update
   - patch
   - delete