From d84378e430c752cdc8fff86f574a4746545a3d3c Mon Sep 17 00:00:00 2001
From: Yang Le <yangle@redhat.com>
Date: Tue, 27 Jul 2021 10:57:14 +0800
Subject: [PATCH] refine placement permissions

Signed-off-by: Yang Le <yangle@redhat.com>
---
 .../cluster-manager-placement-clusterrole.yaml             | 7 +++++--
 pkg/operators/clustermanager/bindata/bindata.go            | 7 +++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/manifests/cluster-manager/cluster-manager-placement-clusterrole.yaml b/manifests/cluster-manager/cluster-manager-placement-clusterrole.yaml
index 48bef68e0..bc4512ba4 100644
--- a/manifests/cluster-manager/cluster-manager-placement-clusterrole.yaml
+++ b/manifests/cluster-manager/cluster-manager-placement-clusterrole.yaml
@@ -17,8 +17,11 @@ rules:
   verbs: ["get", "list", "watch"]
 # Allow controller to manage placements/placementdecisions
 - apiGroups: ["cluster.open-cluster-management.io"]
-  resources: ["placements", "placementdecisions"]
-  verbs: ["get", "list", "watch", "create", "update", "patch"]
+  resources: ["placements"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["cluster.open-cluster-management.io"]
+  resources: ["placementdecisions"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 - apiGroups: ["cluster.open-cluster-management.io"]
   resources: ["placements/status", "placementdecisions/status"]
   verbs: ["update", "patch"]
diff --git a/pkg/operators/clustermanager/bindata/bindata.go b/pkg/operators/clustermanager/bindata/bindata.go
index c95d375d6..d9ef18c0d 100644
--- a/pkg/operators/clustermanager/bindata/bindata.go
+++ b/pkg/operators/clustermanager/bindata/bindata.go
@@ -1676,8 +1676,11 @@ rules:
   verbs: ["get", "list", "watch"]
 # Allow controller to manage placements/placementdecisions
 - apiGroups: ["cluster.open-cluster-management.io"]
-  resources: ["placements", "placementdecisions"]
-  verbs: ["get", "list", "watch", "create", "update", "patch"]
+  resources: ["placements"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["cluster.open-cluster-management.io"]
+  resources: ["placementdecisions"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 - apiGroups: ["cluster.open-cluster-management.io"]
   resources: ["placements/status", "placementdecisions/status"]
   verbs: ["update", "patch"]