Skip to content

Commit

Permalink
drop crtadmin-specific Roles (#78)
Browse files Browse the repository at this point in the history
  • Loading branch information
@MatousJobanek
MatousJobanek authored Sep 13, 2024
1 parent c2f6c5f commit 69407f2
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 45 deletions.
14 changes: 8 additions & 6 deletions README.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,24 +246,26 @@ To add a -crtadmin user for a particular component in member cluster, update the
For an admin of the component that needs to manually approve operator updates:
```yaml
users:
- name: <your-name>-crtadmin
- name: <your-name>-maintainer
id:
- <sso-identities>
member:
roleBindings:
- namespace: <namespace-name>
roles:
- approve-operator-update
- view-secrets
clusterRoles:
- admin
- <edit/admin>
- some-extra-permissions
clusterRoleBindings:
clusterRoles:
- list-operators-group
- some-extra-cluster-scope-permissions
```
NOTE: The creation of the ClusterRoles is not managed via ksctl, you need to make sure that they are created in the cluster.

For a maintainer of the component with limited permissions:
```yaml
- name: <your-name>-crtadmin
- name: <your-name>-maintainer
id:
- <sso-identities>
member:
Expand All @@ -275,7 +277,7 @@ For a maintainer of the component with limited permissions:

If you need any permissions also in a namespace in host cluster (to be used mainly by KubeSaw maintainers), then include the host section in the user's definition as well:
```yaml
- name: <your-name>-crtadmin
- name: <your-name>-maintainer
id:
- <sso-identities>
host:
Expand Down
36 changes: 0 additions & 36 deletions resources/roles/member.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,6 @@ metadata:
name: member-roles
objects:

- kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: approve-operator-update
labels:
provider: ksctl
rules:
- apiGroups:
- operators.coreos.com
resources:
- "installplans"
verbs:
- "get"
- "list"
- "create"
- "patch"
- "update"
- "delete"

- kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Expand Down Expand Up @@ -73,20 +54,3 @@ objects:
- "create"
- "update"
- "patch"

- kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: edit-csv
labels:
provider: ksctl
rules:
- apiGroups:
- operators.coreos.com
resources:
- "clusterserviceversions"
verbs:
- "get"
- "list"
- "patch"
- "update"
5 changes: 2 additions & 3 deletions test-resources/dummy.openshiftapps.com/kubesaw-admins.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,13 +143,12 @@ users:
member:
roleBindings:
- namespace: some-component
roles:
- approve-operator-update
clusterRoles:
- edit
- approve-operator-update # needs to be created separately
clusterRoleBindings:
clusterRoles:
- list-operators-group
- list-operators-group # needs to be created separately

- name: other-component-viewer
id:
Expand Down

0 comments on commit 69407f2

Please sign in to comment.