diff --git a/authorization/README.md b/authorization/README.md index 0115044..a1085f5 100644 --- a/authorization/README.md +++ b/authorization/README.md @@ -6,4 +6,4 @@ > [!NOTE] > Adding your username to one of the `Group`s managed by this ArgoCD application does **not** create your username or grant access to the cluster. You must already have an internal SSO login in order for these role bindings to take effect. -Membership in the `redhat-ai-dev-users` `Group` on the cluster grants cluster-wide `edit` permissions. Additional permissions can be configured via additional `Group` and `RoleBinding` resources. \ No newline at end of file +Membership in the `redhat-ai-dev-users` `Group` on the cluster grants cluster-wide `view`, and `edit` permissions to the user's personal namespace and the `rhoai-workspace` namespace. Additional permissions can be configured via additional `Group` and `RoleBinding` resources. \ No newline at end of file diff --git a/authorization/kustomization.yaml b/authorization/kustomization.yaml index 4b056e0..eaa0d1a 100644 --- a/authorization/kustomization.yaml +++ b/authorization/kustomization.yaml @@ -1,7 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - redhat-ai-dev-edit.yaml - - redhat-ai-dev-edit-users.yaml + - redhat-ai-dev-users.yaml - redhat-ai-dev-view.yaml - - redhat-ai-dev-view-users.yaml + - rhoai-workspace-edit.yaml diff --git a/authorization/redhat-ai-dev-edit-users.yaml b/authorization/redhat-ai-dev-users.yaml similarity index 92% rename from authorization/redhat-ai-dev-edit-users.yaml rename to authorization/redhat-ai-dev-users.yaml index 9e6f3cc..4cb068f 100644 --- a/authorization/redhat-ai-dev-edit-users.yaml +++ b/authorization/redhat-ai-dev-users.yaml @@ -3,7 +3,7 @@ kind: Group apiVersion: user.openshift.io/v1 metadata: - name: redhat-ai-dev-edit-users + name: redhat-ai-dev-users users: - bwilcock - jdubrick diff --git a/authorization/redhat-ai-dev-view-users.yaml b/authorization/redhat-ai-dev-view-users.yaml deleted file mode 100644 index 74ef1da..0000000 --- a/authorization/redhat-ai-dev-view-users.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# This group provides cluster-wide view access on the redhat-ai-dev team OpenShift cluster. -# This does *not* create your user on the cluster, you **must** have an internal SSO account to log on -kind: Group -apiVersion: user.openshift.io/v1 -metadata: - name: redhat-ai-dev-view-users \ No newline at end of file diff --git a/authorization/redhat-ai-dev-edit.yaml b/authorization/rhoai-workspace-edit.yaml similarity index 65% rename from authorization/redhat-ai-dev-edit.yaml rename to authorization/rhoai-workspace-edit.yaml index afedae6..1dc6a80 100644 --- a/authorization/redhat-ai-dev-edit.yaml +++ b/authorization/rhoai-workspace-edit.yaml @@ -1,11 +1,12 @@ -kind: ClusterRoleBinding +kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: redhat-ai-dev-edit + name: rhoai-workspace-edit + namespace: rhoai-workspace subjects: - kind: Group apiGroup: rbac.authorization.k8s.io - name: redhat-ai-dev-edit-users + name: redhat-ai-dev-users roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole