Merge pull request #413 from abhi-kn/console_crd_reader

Bug 1826716: RBAC to authorise service account to list CRDs
openshift · Apr 22, 2020 · 04ecd9f · 04ecd9f
2 parents 7513c00 + 1ed47ce
commit 04ecd9f
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/manifests/03-rbac-role-cluster.yaml b/manifests/03-rbac-role-cluster.yaml
@@ -68,3 +68,17 @@ rules:
   - create
   - update
   - delete
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: console
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/manifests/04-rbac-rolebinding-cluster.yaml b/manifests/04-rbac-rolebinding-cluster.yaml
@@ -39,3 +39,18 @@ subjects:
   - kind: ServiceAccount
     name: console-operator
     namespace: openshift-console-operator
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: console
+roleRef:
+  # CRD lists are protected from unpriviledged users, access is
+  # granted to Service Account by this ClusterRole
+  kind: ClusterRole
+  name: console
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: console
+    namespace: openshift-console