Give API server permission to create RoleBindings for teams

appuio · Mar 9, 2022 · 63c4067 · 63c4067
1 parent 5088057
commit 63c4067
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/apiserver/organization/rolebindings.go b/apiserver/organization/rolebindings.go
@@ -16,6 +16,7 @@ import (
 // Needed so that we are allowed to delegate the default clusterroles
 // +kubebuilder:rbac:groups="rbac.appuio.io",resources=organizations,verbs=get;list;watch;create;delete;patch;update;edit
 // +kubebuilder:rbac:groups="organization.appuio.io",resources=organizations,verbs=get;list;watch;create;delete;patch;update;edit
+// +kubebuilder:rbac:groups="appuio.io",resources=teams,verbs=get;list;watch;create;delete;patch;update
 
 //go:generate go run github.com/golang/mock/mockgen -source=$GOFILE -destination=./mock/$GOFILE
 type roleBindingCreator interface {

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -49,6 +49,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - appuio.io
+  resources:
+  - teams
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:

diff --git a/config/user-rbac/organization-admin-role.yml b/config/user-rbac/organization-admin-role.yml
@@ -11,7 +11,7 @@ rules:
   verbs: ["get", "watch", "list", "patch", "update", "create"]
 - apiGroups: ["appuio.io"]
   resources: ["teams"]
-  verbs: ["get", "watch", "list", "patch", "update", "create"]
+  verbs: ["get", "watch", "list", "patch", "update", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources: ["rolebindings"]
   verbs: ["get", "watch", "list", "patch", "update", "create"]