feat: drop aggregate-to-ns-* clusterroles

Signed-off-by: Philippe Scorsolini <p.scorsolini@gmail.com>
crossplane · Feb 12, 2024 · 82036c1 · 82036c1
1 parent 02e247f
commit 82036c1
Showing 1 changed file with 0 additions and 69 deletions.
diff --git a/cluster/charts/crossplane/templates/rbac-manager-managed-clusterroles.yaml b/cluster/charts/crossplane/templates/rbac-manager-managed-clusterroles.yaml
@@ -187,74 +187,5 @@ rules:
   - apiextensions.crossplane.io
   resources: ["*"]
   verbs: [get, list, watch]
-{{- if .Values.rbacManager.managementPolicy }}
----
-# The below ClusterRoles are aggregated to the namespaced RBAC roles created by
-# the Crossplane RBAC manager when it is running in --manage=All mode.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "crossplane.name" . }}:aggregate-to-ns-admin
-  labels:
-    rbac.crossplane.io/aggregate-to-ns-admin: "true"
-    rbac.crossplane.io/base-of-ns-admin: "true"
-    app: {{ template "crossplane.name" . }}
-    {{- include "crossplane.labels" . | indent 4 }}
-rules:
-# Crossplane namespace admins have access to view events.
-- apiGroups: [""]
-  resources: [events]
-  verbs: [get, list, watch]
-# Crossplane namespace admins may need to read or otherwise interact with
-# resource claim connection secrets.
-- apiGroups: [""]
-  resources: [secrets]
-  verbs: ["*"]
-# Crossplane namespace admins have access to view the roles that they may be
-# able to grant to other subjects.
-- apiGroups: [rbac.authorization.k8s.io]
-  resources: [roles]
-  verbs: [get, list, watch]
-# Crossplane namespace admins have access to grant the access they have to other
-# subjects.
-- apiGroups: [rbac.authorization.k8s.io]
-  resources: [rolebindings]
-  verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "crossplane.name" . }}:aggregate-to-ns-edit
-  labels:
-    rbac.crossplane.io/aggregate-to-ns-edit: "true"
-    rbac.crossplane.io/base-of-ns-edit: "true"
-    app: {{ template "crossplane.name" . }}
-    {{- include "crossplane.labels" . | indent 4 }}
-rules:
-# Crossplane namespace editors have access to view events.
-- apiGroups: [""]
-  resources: [events]
-  verbs: [get, list, watch]
-# Crossplane namespace editors may need to read or otherwise interact with
-# resource claim connection secrets.
-- apiGroups: [""]
-  resources: [secrets]
-  verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "crossplane.name" . }}:aggregate-to-ns-view
-  labels:
-    rbac.crossplane.io/aggregate-to-ns-view: "true"
-    rbac.crossplane.io/base-of-ns-view: "true"
-    app: {{ template "crossplane.name" . }}
-    {{- include "crossplane.labels" . | indent 4 }}
-rules:
-# Crossplane namespace viewers have access to view events.
-- apiGroups: [""]
-  resources: [events]
-  verbs: [get, list, watch]
-{{- end }}
 {{- end }}
 {{- end }}