Skip to content

Commit da37912

Browse files
awgreeneawgreene
committed
try to constrain rbac based on e2e usage
Signed-off-by: Alexander Greene <[email protected]>
1 parent e98b8f0 commit da37912

File tree

1 file changed

+88
-3
lines changed

1 file changed

+88
-3
lines changed

manifests/0000_50_olm_01-olm-operator.serviceaccount.yaml

Lines changed: 88 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,11 +15,96 @@ metadata:
1515
include.release.openshift.io/ibm-cloud-managed: "true"
1616
include.release.openshift.io/self-managed-high-availability: "true"
1717
rules:
18-
- apiGroups: ["*"]
19-
resources: ["*"]
20-
verbs: ["*"]
2118
- nonResourceURLs: ["*"]
2219
verbs: ["*"]
20+
- apiGroups:
21+
- ""
22+
resources:
23+
- namespaces
24+
- pods
25+
- services
26+
- pods/status
27+
- configmaps
28+
- secrets
29+
- serviceaccounts
30+
verbs:
31+
- '*'
32+
- apiGroups:
33+
- admissionregistration.k8s.io
34+
resources:
35+
- mutatingwebhookconfigurations
36+
- validatingwebhookconfigurations
37+
verbs:
38+
- '*'
39+
- apiGroups:
40+
- apiextensions.k8s.io
41+
resources:
42+
- customresourcedefinitions
43+
verbs:
44+
- '*'
45+
- apiGroups:
46+
- apiregistration.k8s.io
47+
resources:
48+
- apiservices
49+
verbs:
50+
- '*'
51+
- apiGroups:
52+
- apps
53+
resources:
54+
- deployments
55+
verbs:
56+
- '*'
57+
- apiGroups:
58+
- batch
59+
resources:
60+
- jobs
61+
verbs:
62+
- '*'
63+
- apiGroups:
64+
- config.openshift.io
65+
resources:
66+
- clusteroperators
67+
- infrastructures
68+
- proxies
69+
verbs:
70+
- '*'
71+
- apiGroups:
72+
- coordination.k8s.io
73+
resourceNames:
74+
- packageserver-controller-lock
75+
resources:
76+
- leases
77+
verbs:
78+
- '*'
79+
- apiGroups:
80+
- cluster.com
81+
resources:
82+
- '*'
83+
verbs:
84+
- '*'
85+
- apiGroups:
86+
- operators.coreos.com
87+
resources:
88+
- '*'
89+
verbs:
90+
- '*'
91+
- apiGroups:
92+
- rbac.authorization.k8s.io
93+
resources:
94+
- clusterrolebindings
95+
- clusterroles
96+
- rolebindings
97+
- roles
98+
verbs:
99+
- '*'
100+
- apiGroups:
101+
- security.openshift.io
102+
resources:
103+
- securitycontextconstraints
104+
resourceNames:
105+
- restricted-v2
106+
verbs:
107+
- use
23108
---
24109
apiVersion: rbac.authorization.k8s.io/v1
25110
kind: ClusterRoleBinding

0 commit comments

Comments
 (0)