forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathrbac.go
40 lines (37 loc) · 1.42 KB
/
rbac.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
package openshift
import (
"k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/kubernetes/pkg/apis/rbac"
"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
)
// GetServiceCatalogRBACDelta returns a cluster role with the required rules to bootstrap service catalog
func GetServiceCatalogRBACDelta() []rbac.ClusterRole {
return []rbac.ClusterRole{
{
ObjectMeta: v1.ObjectMeta{
Name: bootstrappolicy.AdminRoleName,
},
Rules: []rbac.PolicyRule{
rbac.NewRule("create", "update", "delete", "get", "list", "watch").Groups("servicecatalog.k8s.io").Resources("serviceinstances", "servicebindings").RuleOrDie(),
rbac.NewRule("create", "update", "delete", "get", "list", "watch").Groups("settings.k8s.io").Resources("podpresets").RuleOrDie(),
},
},
{
ObjectMeta: v1.ObjectMeta{
Name: bootstrappolicy.EditRoleName,
},
Rules: []rbac.PolicyRule{
rbac.NewRule("create", "update", "delete", "get", "list", "watch").Groups("servicecatalog.k8s.io").Resources("serviceinstances", "servicebindings").RuleOrDie(),
rbac.NewRule("create", "update", "delete", "get", "list", "watch").Groups("settings.k8s.io").Resources("podpresets").RuleOrDie(),
},
},
{
ObjectMeta: v1.ObjectMeta{
Name: bootstrappolicy.ViewRoleName,
},
Rules: []rbac.PolicyRule{
rbac.NewRule("get", "list", "watch").Groups("servicecatalog.k8s.io").Resources("serviceinstances", "servicebindings").RuleOrDie(),
},
},
}
}