@@ -25,15 +25,43 @@ import (
2525 "sigs.k8s.io/controller-runtime/pkg/client"
2626)
2727
28- // these resources are created by the 'crds.yaml' and 'import.yaml' files that are provided by ACM
2928//+kubebuilder:rbac:groups="",resources=secrets,verbs=create;delete;get;list;watch
30- //+kubebuilder:rbac:groups=operator.open-cluster-management.io,resources=klusterlets,verbs=create;get;list;watch
29+ //+kubebuilder:rbac:groups=operator.open-cluster-management.io,resources=klusterlets,verbs=get;list;watch
30+
31+ // these resources are created by the 'crds.yaml' file that is provided by ACM
32+ //+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=create
33+
34+ // these resources are created by the 'import.yaml' file that is provided by ACM
3135//+kubebuilder:rbac:groups="",resources=namespaces,verbs=create
3236//+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=create
33- //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=create
3437//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=create
3538//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=create
36- //+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=create
39+ //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=create
40+ //+kubebuilder:rbac:groups="",resources=secrets,verbs=create
41+ //+kubebuilder:rbac:groups=operator.open-cluster-management.io,resources=klusterlets,verbs=create
42+
43+ // these permissions are granted by the ClusterRoles created by import.yaml
44+ // since an object cannot grant permissions that it doesn't have, the operator needs these as well
45+ // ClusterRole/klusterlet
46+ //+kubebuilder:rbac:groups="",resources=secrets;configmaps;serviceaccounts,verbs=create;get;list;update;watch;patch;delete
47+ //+kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=create;get;list;update;watch;patch
48+ //+kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=create
49+ //+kubebuilder:rbac:groups="",resources=namespaces,verbs=create;get;list;watch;delete
50+ //+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
51+ //+kubebuilder:rbac:groups="";events.k8s.io,resources=events,verbs=create;patch;update
52+ //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=create;get;list;update;watch;patch;delete
53+ //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings;rolebindings,verbs=create;get;list;update;watch;patch;delete
54+ //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;roles,verbs=create;get;list;update;watch;patch;delete;escalate;bind
55+ //+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=create;get;list;update;watch;patch;delete
56+ //+kubebuilder:rbac:groups=operator.open-cluster-management.io,resources=klusterlets,verbs=get;list;watch;update;patch;delete
57+ //+kubebuilder:rbac:groups=operator.open-cluster-management.io,resources=klusterlets/status,verbs=update;patch
58+ //+kubebuilder:rbac:groups=work.open-cluster-management.io,resources=appliedmanifestworks,verbs=list;update;patch
59+
60+ // ClusterRole/klusterlet-bootstrap-kubeconfig
61+ //+kubebuilder:rbac:groups="",resources=secrets,verbs=get;update
62+
63+ // ClusterRole/open-cluster-management:klusterlet-admin-aggregate-clusterrole
64+ //+kubebuilder:rbac:groups=operator.open-cluster-management.io,resources=klusterlets,verbs=get;list;watch;create;update;patch;delete
3765
3866// returns nil if the Klusterlet is Available, error otherwise
3967func checkKlusterlet (ctx context.Context , c client.Client , logger logr.Logger ) error {
0 commit comments