Update cluster roles to match latest ocm release

Signed-off-by: Tamal Saha <[email protected]>
kluster-manager · Mar 10, 2024 · c835ed4 · c835ed4
1 parent 7ca3d43
commit c835ed4
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 6 deletions.
diff --git a/charts/cluster-manager-hub/templates/auth/bootstrap_cluster_role.yaml b/charts/cluster-manager-hub/templates/auth/bootstrap_cluster_role.yaml
@@ -1,4 +1,5 @@
 # Copyright Contributors to the Open Cluster Management project
+# Copied from https://github.com/open-cluster-management-io/clusteradm/blob/main/pkg/cmd/init/scenario/init/bootstrap_cluster_role.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

diff --git a/charts/cluster-manager-hub/templates/clustermanager_cluster_role.yaml b/charts/cluster-manager-hub/templates/clustermanager_cluster_role.yaml
@@ -7,11 +7,14 @@ metadata:
 rules:
 # Allow the registration-operator to create workload
 - apiGroups: [""]
-  resources: ["configmaps", "namespaces", "serviceaccounts", "services", "pods"]
+  resources: ["configmaps", "namespaces", "serviceaccounts", "services"]
   verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
 - apiGroups: [""]
   resources: ["secrets"]
-  verbs: ["list", "watch", "update", "patch", "delete"]
+  verbs: ["get", "list", "watch", "update", "patch", "delete"]
   resourceNames:
     - "signer-secret"
     - "registration-webhook-serving-cert"
@@ -21,11 +24,11 @@ rules:
     - "work-webhook-sa-kubeconfig"
     - "placement-controller-sa-kubeconfig"
     - "work-controller-sa-kubeconfig"
+    - "addon-manager-controller-sa-kubeconfig"
     - "external-hub-kubeconfig"
-# addon manager needs this to sign the customized type csr
 - apiGroups: [""]
   resources: ["secrets"]
-  verbs: ["create", "get"]
+  verbs: ["create"]
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]

diff --git a/charts/cluster-manager-spoke/templates/cluster_role.yaml b/charts/cluster-manager-spoke/templates/cluster_role.yaml
@@ -7,8 +7,29 @@ metadata:
 rules:
 # Allow the registration-operator to create workload
 - apiGroups: [""]
-  resources: ["secrets", "configmaps", "serviceaccounts"]
+  resources: ["configmaps", "serviceaccounts"]
   verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["update", "get", "list", "watch", "delete"]
+  resourceNames:
+    - "open-cluster-management-image-pull-credentials"
+    - "bootstrap-hub-kubeconfig"
+    - "hub-kubeconfig-secret"
+    - "external-managed-kubeconfig"
+    - "external-managed-kubeconfig-work"
+    - "external-managed-kubeconfig-registration"
+    - "external-managed-kubeconfig-agent"
+# get pods and replicasets is for event creation
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
+- apiGroups: [ "apps" ]
+  resources: [ "replicasets" ]
+  verbs: [ "get" ]
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["create", "get", "list", "update", "watch", "patch"]
@@ -17,7 +38,7 @@ rules:
   verbs: ["create"]
 - apiGroups: [""]
   resources: ["namespaces"]
-  verbs: ["create", "get", "list", "update", "watch", "delete"]
+  verbs: ["create", "get", "list", "update", "watch", "patch", "delete"]
 - apiGroups: [""]
   resources: ["nodes"]
   verbs: ["get", "list", "watch"]