diff --git a/charts/cluster-manager-hub/templates/auth/bootstrap_cluster_role.yaml b/charts/cluster-manager-hub/templates/auth/bootstrap_cluster_role.yaml index 2b368796..3c703b28 100644 --- a/charts/cluster-manager-hub/templates/auth/bootstrap_cluster_role.yaml +++ b/charts/cluster-manager-hub/templates/auth/bootstrap_cluster_role.yaml @@ -1,4 +1,5 @@ # Copyright Contributors to the Open Cluster Management project +# Copied from https://github.com/open-cluster-management-io/clusteradm/blob/main/pkg/cmd/init/scenario/init/bootstrap_cluster_role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/cluster-manager-hub/templates/clustermanager_cluster_role.yaml b/charts/cluster-manager-hub/templates/clustermanager_cluster_role.yaml index f71e1f7a..3e2a5b25 100644 --- a/charts/cluster-manager-hub/templates/clustermanager_cluster_role.yaml +++ b/charts/cluster-manager-hub/templates/clustermanager_cluster_role.yaml @@ -7,11 +7,14 @@ metadata: rules: # Allow the registration-operator to create workload - apiGroups: [""] - resources: ["configmaps", "namespaces", "serviceaccounts", "services", "pods"] + resources: ["configmaps", "namespaces", "serviceaccounts", "services"] verbs: ["create", "get", "list", "update", "watch", "patch", "delete", "deletecollection"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] - apiGroups: [""] resources: ["secrets"] - verbs: ["list", "watch", "update", "patch", "delete"] + verbs: ["get", "list", "watch", "update", "patch", "delete"] resourceNames: - "signer-secret" - "registration-webhook-serving-cert" @@ -21,11 +24,11 @@ rules: - "work-webhook-sa-kubeconfig" - "placement-controller-sa-kubeconfig" - "work-controller-sa-kubeconfig" + - "addon-manager-controller-sa-kubeconfig" - "external-hub-kubeconfig" -# addon manager needs this to sign the customized type csr - apiGroups: [""] resources: ["secrets"] - verbs: ["create", "get"] + verbs: ["create"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] diff --git a/charts/cluster-manager-spoke/templates/cluster_role.yaml b/charts/cluster-manager-spoke/templates/cluster_role.yaml index e34b86af..c26502d7 100644 --- a/charts/cluster-manager-spoke/templates/cluster_role.yaml +++ b/charts/cluster-manager-spoke/templates/cluster_role.yaml @@ -7,8 +7,29 @@ metadata: rules: # Allow the registration-operator to create workload - apiGroups: [""] - resources: ["secrets", "configmaps", "serviceaccounts"] + resources: ["configmaps", "serviceaccounts"] verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["update", "get", "list", "watch", "delete"] + resourceNames: + - "open-cluster-management-image-pull-credentials" + - "bootstrap-hub-kubeconfig" + - "hub-kubeconfig-secret" + - "external-managed-kubeconfig" + - "external-managed-kubeconfig-work" + - "external-managed-kubeconfig-registration" + - "external-managed-kubeconfig-agent" +# get pods and replicasets is for event creation +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +- apiGroups: [ "apps" ] + resources: [ "replicasets" ] + verbs: [ "get" ] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["create", "get", "list", "update", "watch", "patch"] @@ -17,7 +38,7 @@ rules: verbs: ["create"] - apiGroups: [""] resources: ["namespaces"] - verbs: ["create", "get", "list", "update", "watch", "delete"] + verbs: ["create", "get", "list", "update", "watch", "patch", "delete"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"]