Skip to content

Commit

Permalink
Add rbac for patch operator
Browse files Browse the repository at this point in the history
The patch operator requires cluster-scoped permissions [1], but it
looks for service accounts per-namespace (yuck). For each namespace in
which we're deploying patches we'll need to add an additional
serviceaccount to the clusterrolebinding, and for each new resource
type we're patching we'll need to update the clusterrole.

[1]: redhat-cop/patch-operator#4
  • Loading branch information
larsks committed Sep 23, 2022
1 parent e4b3913 commit 59f8122
Show file tree
Hide file tree
Showing 5 changed files with 35 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: patch-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: patch-operator
subjects: []
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- clusterrolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: patch-operator
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- update
- patch
- get
- watch
- list
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- clusterrole.yaml
2 changes: 2 additions & 0 deletions cluster-scope/bundles/patch-operator/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,5 @@ resources:
- ../../base/core/namespaces/patch-operator
- ../../base/operators.coreos.com/operatorgroups/patch-operator
- ../../base/operators.coreos.com/subscriptions/patch-operator
- ../../base/rbac.authorization.k8s.io/clusterrolebindings/patch-operator
- ../../base/rbac.authorization.k8s.io/clusterroles/patch-operator

0 comments on commit 59f8122

Please sign in to comment.