diff --git a/content/en/docs/Concepts/crds/operatorgroup.md b/content/en/docs/Concepts/crds/operatorgroup.md index d3f33b32..2d4769a2 100644 --- a/content/en/docs/Concepts/crds/operatorgroup.md +++ b/content/en/docs/Concepts/crds/operatorgroup.md @@ -141,15 +141,15 @@ When an `OperatorGroup` is created, 3 ClusterRoles each containing a single Aggr When a CSV becomes an active member of an `OperatorGroup` and is not in a failed state with reason InterOperatorGroupOwnerConflict, the following RBAC resources are generated: * For each provided API resource from a CRD: - * A `` ClusterRole is generated with the `*` verb on `` `` with aggregation labels `rbac.authorization.k8s.io/aggregate-to-admin: true` and `olm.opgroup.permissions/aggregate-to-admin: ` - * A `` ClusterRole is generated with the `create, update, patch, release` verbs on `` `` with aggregation labels `rbac.authorization.k8s.io/aggregate-to-edit: true` and `olm.opgroup.permissions/aggregate-to-edit: ` - * A `` ClusterRole is generated with the `get, list, watch` verbs on `` `` with aggregation labels `rbac.authorization.k8s.io/aggregate-to-view: true` and `olm.opgroup.permissions/aggregate-to-view: ` - * A `` ClusterRole is generated with the `get` verb on `apiextensions.k8s.io` `customresourcedefinitions` `` with aggregation labels `rbac.authorization.k8s.io/aggregate-to-view: true` and `olm.opgroup.permissions/aggregate-to-view: ` + * A `.--admin` ClusterRole is generated with the `*` verb on `` `` with aggregation labels `rbac.authorization.k8s.io/aggregate-to-admin: true` and `olm.opgroup.permissions/aggregate-to-admin: ` + * A `.--edit` ClusterRole is generated with the `create, update, patch, delete` verbs on `` `` with aggregation labels `rbac.authorization.k8s.io/aggregate-to-edit: true` and `olm.opgroup.permissions/aggregate-to-edit: ` + * A `.--view` ClusterRole is generated with the `get, list, watch` verbs on `` `` with aggregation labels `rbac.authorization.k8s.io/aggregate-to-view: true` and `olm.opgroup.permissions/aggregate-to-view: ` + * A `.--view-crdview` ClusterRole is generated with the `get` verb on `apiextensions.k8s.io` `customresourcedefinitions` `` with aggregation labels `rbac.authorization.k8s.io/aggregate-to-view: true` and `olm.opgroup.permissions/aggregate-to-view: ` * For each provided API resource from an APIService: - * A `` ClusterRole is generated with the `*` verb on `` `` with aggregation labels `rbac.authorization.k8s.io/aggregate-to-admin: true` and `olm.opgroup.permissions/aggregate-to-admin: ` - * A `` ClusterRole is generated with the `create, update, patch, release` verbs on `` `` with aggregation labels `rbac.authorization.k8s.io/aggregate-to-edit: true` and `olm.opgroup.permissions/aggregate-to-edit: ` - * A `` ClusterRole is generated with the `get, list, watch` verbs on `` `` with aggregation labels `rbac.authorization.k8s.io/aggregate-to-view: true` and `olm.opgroup.permissions/aggregate-to-view: ` + * A `.--admin` ClusterRole is generated with the `*` verb on `` `` with aggregation labels `rbac.authorization.k8s.io/aggregate-to-admin: true` and `olm.opgroup.permissions/aggregate-to-admin: ` + * A `.--edit` ClusterRole is generated with the `create, update, patch, delete` verbs on `` `` with aggregation labels `rbac.authorization.k8s.io/aggregate-to-edit: true` and `olm.opgroup.permissions/aggregate-to-edit: ` + * A `.--view` ClusterRole is generated with the `get, list, watch` verbs on `` `` with aggregation labels `rbac.authorization.k8s.io/aggregate-to-view: true` and `olm.opgroup.permissions/aggregate-to-view: ` * If |target namespaces| == 1 and contains `*`: * A ClusterRole and corresponding ClusterRoleBinding are generated for each permission defined in the CSV's permissions field. All resources generated are given the `olm.owner: ` and `olm.owner.namespace: ` labels