From 03ddf76424afbabe5f92dab2c4c4b4c1b81c3653 Mon Sep 17 00:00:00 2001
From: Pramod Bindal <prbindal@redhat.com>
Date: Tue, 21 Apr 2026 10:19:52 +0530
Subject: [PATCH] Security Fix: Reduce permissions in tekton-scheduler-role and
 limit to tekton-operator service account only

---
 config/base/tekton_scheduler_role.yaml        | 35 +++++++++++++++----
 .../base/tekton_scheduler_role_binding.yaml   |  6 ++--
 2 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/config/base/tekton_scheduler_role.yaml b/config/base/tekton_scheduler_role.yaml
index d6c1410291..f543ab989f 100644
--- a/config/base/tekton_scheduler_role.yaml
+++ b/config/base/tekton_scheduler_role.yaml
@@ -21,18 +21,43 @@ rules:
       - kueue.x-k8s.io
     resources:
       - resourceflavors
-      - workloads
-      - workloads/finalizers
-      - workloads/status
       - workloadpriorityclasses
     verbs:
       - get
       - list
+      - watch
+  - apiGroups:
+      - kueue.x-k8s.io
+    resources:
+      - workloadpriorityclasses
+    verbs:
+      - create
+  - apiGroups:
+      - kueue.x-k8s.io
+    resources:
+      - workloads
+    verbs:
       - create
-      - update
       - delete
+      - get
+      - list
       - patch
+      - update
       - watch
+  - apiGroups:
+      - kueue.x-k8s.io
+    resources:
+      - workloads/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - kueue.x-k8s.io
+    resources:
+      - workloads/status
+    verbs:
+      - get
+      - patch
+      - update
   - apiGroups:
       - scheduling.k8s.io
     resources:
@@ -49,8 +74,6 @@ rules:
     verbs:
       - get
       - create
-      - update
-      - list
   - nonResourceURLs:
       - /metrics
     verbs:
diff --git a/config/base/tekton_scheduler_role_binding.yaml b/config/base/tekton_scheduler_role_binding.yaml
index 6a89e8603c..4a2043c36b 100644
--- a/config/base/tekton_scheduler_role_binding.yaml
+++ b/config/base/tekton_scheduler_role_binding.yaml
@@ -17,9 +17,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: tekton-scheduler-rolebinding
 subjects:
-  - kind: Group
-    apiGroup: rbac.authorization.k8s.io
-    name: 'system:authenticated'
+  - kind: ServiceAccount
+    name: tekton-operator
+    namespace: tekton-operator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole