Charles-Edouard Brétéché

Technically I think kyverno core does not need this cluster role, but depending on the policies installed it may need permissions at the cluster level. We can remove the permissions...

We could move the permissions to `kyverno:generate`. Currently it has: ```yaml - apiGroups: - "" resources: - namespaces - configmaps - secrets - resourcequotas - limitranges verbs: - create -...

> We can restrict to known K8s types and remove security sensitive ones, like secrets as a start. Sounds difficult to do as we can't exclude things with RBAC (we...

Maybe we could add a flag in the helm chart to run with very restricted permissions ?

Tomorrow I promise !!

Folks, I added the missing unit tests, please let me know how this looks. Sorry for the long delay. cc @stevekuznetsov @alvaroaleman

/cc @stevekuznetsov @alvaroaleman @chaodaiG

/assign @cjwagner

/unhold

> @eddycharly: GitHub didn't allow me to request PR reviews from the following users: stevekuznetsov, alvaroaleman, chaodaiG. > > Note that only [kubernetes members](https://github.com/orgs/kubernetes/people) and repo collaborators can review this...