[Enhancement] Reduce default Kyverno RBAC

Problem Statement

As of release 1.16.0, the default Kyverno installation grants RBAC permissions to operate on RBAC resources (for example, roles and rolebindings). The goal is to align default RBAC with least privilege and make optional/advanced capabilities (for example, generating RBAC resources) opt-in rather than granted by default.

Revisit and scope the following permissions:

• Default RBAC on roles/rolebindings: Review the default permissions granted by core controller ClusterRoles.
• updaterequests and policy deletes: Split updaterequests permissions out; the background controller does not need to delete clusterpolicies.
• Threat model alignment (Mitigation ID 1: RBAC rights are strictly controlled):
  • MutatingWebhookConfigurations (create/edit/delete): prevent unauthorized modification of webhook objects.
  • ValidatingWebhookConfigurations (create/edit/delete): prevent unauthorized modification of webhook objects.
  • Services (create/edit): prevent creation of Services that could interfere with webhook operation (for example, CVE-2020-8554). Where this cannot be restricted, the admission controller should restrict creation of external IP Services.

Solution Description

TBD.

Alternatives

No response

Additional Context

No response

Slack discussion

No response

Research

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.