Merge pull request #812 from ecordell/admin-perms

feat(rbac): restrict permissions for namespace admins
operator-framework · Apr 15, 2019 · c718ec8 · c718ec8
2 parents 33ccf62 + 32965a5
commit c718ec8
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/deploy/chart/templates/0000_50_olm_09-aggregated.clusterrole.yaml b/deploy/chart/templates/0000_50_olm_09-aggregated.clusterrole.yaml
@@ -8,8 +8,11 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
 rules:
 - apiGroups: ["operators.coreos.com"]
-  resources: ["clusterserviceversions", "catalogsources", "installplans", "subscriptions", "packagemanifests"]
+  resources: ["subscriptions"]
   verbs: ["create", "update", "patch", "delete"]
+- apiGroups: ["operators.coreos.com"]
+  resources: ["clusterserviceversions", "catalogsources", "installplans", "subscriptions"]
+  verbs: ["delete"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/manifests/0000_50_olm_09-aggregated.clusterrole.yaml b/manifests/0000_50_olm_09-aggregated.clusterrole.yaml
@@ -8,8 +8,11 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
 rules:
 - apiGroups: ["operators.coreos.com"]
-  resources: ["clusterserviceversions", "catalogsources", "installplans", "subscriptions", "packagemanifests"]
+  resources: ["subscriptions"]
   verbs: ["create", "update", "patch", "delete"]
+- apiGroups: ["operators.coreos.com"]
+  resources: ["clusterserviceversions", "catalogsources", "installplans", "subscriptions"]
+  verbs: ["delete"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1