Use Role instead of ClusterRole for on-prem services

yuqi-zhang · May 27, 2024 · d2aff6e · d2aff6e
1 parent d42572e
commit d2aff6e
Showing 1 changed file with 45 additions and 5 deletions.
diff --git a/install/0000_80_machine-config_03_rbac.yaml b/install/0000_80_machine-config_03_rbac.yaml
@@ -78,9 +78,49 @@ subjects:
 # Because host networking components right now only run on on-prem platforms, we create RoleBinding
 # explicitly only in namespaces for OpenStack, BareMetal, vSphere and Nutanix.
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: host-networking-services
+  namespace: openshift-openstack-infra
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: host-networking-services
+  namespace: openshift-kni-infra
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: host-networking-services
+  namespace: openshift-vsphere-infra
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: host-networking-services
+  namespace: openshift-nutanix-infra
   annotations:
     include.release.openshift.io/self-managed-high-availability: "true"
     include.release.openshift.io/single-node-developer: "true"
@@ -102,7 +142,7 @@ subjects:
     kind: Group
     name: system:nodes
 roleRef:
-  kind: ClusterRole
+  kind: Role
   name: host-networking-services
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -118,7 +158,7 @@ subjects:
     kind: Group
     name: system:nodes
 roleRef:
-  kind: ClusterRole
+  kind: Role
   name: host-networking-services
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -134,7 +174,7 @@ subjects:
     kind: Group
     name: system:nodes
 roleRef:
-  kind: ClusterRole
+  kind: Role
   name: host-networking-services
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -150,5 +190,5 @@ subjects:
     kind: Group
     name: system:nodes
 roleRef:
-  kind: ClusterRole
+  kind: Role
   name: host-networking-services