in marketplace/deployer_util/config_helper.py [0:0]
def has_discouraged_cluster_scoped_permissions(self):
"""Returns true if the service account has discouraged permissions."""
# Consider all predefined roles except `view`.
if len(
list(
filter(lambda roleName: not roleName == 'view',
self.predefined_cluster_roles()))) > 0:
return True
# Consider apiGroups=['*'] + resources=['*'] + verbs=[<write>],
# which is essentially `cluster-admin`.
# Allow if verbs are explicitly declared for applications which
# truly need those permissions.
for rules in self.custom_cluster_role_rules():
for rule in rules:
if '*' in rule.get('apiGroups') and '*' in rule.get(
'resources') and '*' in rule.get('verbs'):
return True
return False