mirror of
https://github.com/open-cluster-management-io/ocm.git
synced 2026-02-14 10:00:11 +00:00
353a850f8d
* sync labels from klusterlet to all agent resources (#475) Signed-off-by: Zhiwei Yin <zyin@redhat.com> * add enable-sync-labels flag to klusterlet operator (#505) Signed-off-by: Zhiwei Yin <zyin@redhat.com> * fix issue that pull secret and ns are synced labels when enable-sync-labels is disabled (#511) Signed-off-by: Zhiwei Yin <zyin@redhat.com> --------- Signed-off-by: Zhiwei Yin <zyin@redhat.com>
23 lines
760 B
YAML
23 lines
760 B
YAML
# Mandatory ClusterRole permission for registartion agent
|
|
# Registartion agent can not run without these permissions
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: open-cluster-management:{{ .KlusterletName }}-registration:agent
|
|
labels:
|
|
{{ if gt (len .Labels) 0 }}
|
|
{{ range $key, $value := .Labels }}
|
|
{{ $key }}: {{ $value }}
|
|
{{ end }}
|
|
{{ end }}
|
|
rules:
|
|
# Allow agent to get/list/watch nodes
|
|
# list nodes to calculates the capacity and allocatable resources of the managed cluster
|
|
- apiGroups: [""]
|
|
resources: ["nodes"]
|
|
verbs: ["get", "list", "watch"]
|
|
# Allow agent to list clusterclaims
|
|
- apiGroups: ["cluster.open-cluster-management.io"]
|
|
resources: ["clusterclaims"]
|
|
verbs: ["get", "list", "watch"]
|