Description of problem:

The ClusterRole which is bound for the operator SA, looks like it hasn't been reviewed since 4.0. The primary concern here is that the rules are quite permissive and don't seem to be confined to what the operator actually requires [1].

For example:

• apiGroups:
• ""
  resources:
• configmaps
• endpoints
• events
• namespaces
• persistentvolumeclaims
• pods
• secrets
• services
  verbs:
• "*"

Not sure if the cluster-image-registry-operator would really need "*" to all of these resources - aka pods? After reviewing the other RBAC rules specified, it seems we could prob limit a review to just the cluster-image-registry-operator.

[1] - https://github.com/openshift/cluster-image-registry-operator/blob/master/manifests/02-rbac.yaml

Additional info:

Appreciative of the time constraints and requirements of such a task - hence already setting a low priority. Additionally, any further help/testing/assistance we could provide let us know.