From 7fe88d0e4e7f030b5e536da411f991d28d42242a Mon Sep 17 00:00:00 2001
From: Rokibul Hasan <mdrokibulhasan@appscode.com>
Date: Tue, 27 Feb 2024 12:57:53 +0600
Subject: [PATCH] Update cluster-auth-manager permissions (#8)

Signed-off-by: Rokibul Hasan <mdrokibulhasan@appscode.com>
---
 .../templates/k8s/cluster_role.yaml           | 28 ++++++++++++++++---
 .../templates/k8s/gateway_cluster_role.yaml   | 12 ++++++++
 2 files changed, 36 insertions(+), 4 deletions(-)
 create mode 100644 charts/cluster-auth-manager/templates/k8s/gateway_cluster_role.yaml

diff --git a/charts/cluster-auth-manager/templates/k8s/cluster_role.yaml b/charts/cluster-auth-manager/templates/k8s/cluster_role.yaml
index 4ec244fb..ab089e89 100644
--- a/charts/cluster-auth-manager/templates/k8s/cluster_role.yaml
+++ b/charts/cluster-auth-manager/templates/k8s/cluster_role.yaml
@@ -4,14 +4,11 @@ metadata:
   name: cluster-auth-manager
 rules:
   - apiGroups: [""]
-    resources: ["configmaps", "events", "namespace", "secrets"]
+    resources: ["configmaps", "events", "namespaces", "secrets", "serviceaccounts"]
     verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"]
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["get", "list", "watch", "create", "update", "patch"]
-  - apiGroups: ["rbac.authorization.k8s.io"]
-    resources: ["roles", "rolebindings"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
   - apiGroups: ["authorization.k8s.io"]
     resources: ["subjectaccessreviews"]
     verbs: ["get", "create"]
@@ -54,3 +51,26 @@ rules:
       - "clustergateways/health"
       - "clustergateways/proxy"
     verbs: [ "*" ]
+  - apiGroups: [ "authorization.k8s.appscode.com" ]
+    resources:
+      - "managedclustersetrolebindings"
+      - "managedclusterrolebindings"
+      - "managedclusterroles"
+    verbs: [ "*" ]
+  - apiGroups: [ "authentication.open-cluster-management.io" ]
+    resources:
+      - "managedserviceaccounts"
+    verbs: [ "*" ]
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+      - clusterrolebindings
+      - roles
+      - rolebindings
+    verbs: [ "*" ]
+  - apiGroups: [ "authentication.k8s.appscode.com" ]
+    resources:
+      - users
+      - groups
+    verbs: [ "*" ]
diff --git a/charts/cluster-auth-manager/templates/k8s/gateway_cluster_role.yaml b/charts/cluster-auth-manager/templates/k8s/gateway_cluster_role.yaml
new file mode 100644
index 00000000..49c1a060
--- /dev/null
+++ b/charts/cluster-auth-manager/templates/k8s/gateway_cluster_role.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cluster-gateway-permission
+rules:
+  - apiGroups:
+      - cluster.core.oam.dev
+    resources:
+      - clustergateways/health
+      - clustergateways/proxy
+    verbs:
+      - "*"