open-cluster-management/manifests/cluster-manager/hub/addon-manager/clusterrole.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: open-cluster-management:{{ .ClusterManagerName }}-addon-manager:controller
  labels:
    {{ if gt (len .Labels) 0 }}
    {{ range $key, $value := .Labels }}
    "{{ $key }}": "{{ $value }}"
    {{ end }}
    {{ end }}
rules:
# Allow controller to get/list/watch/create/delete configmaps/events
- apiGroups: [""]
  resources: ["configmaps", "events"]
  verbs: ["get", "list", "watch", "create", "update", "delete", "deletecollection", "patch"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get"]
- apiGroups: ["apps"]
  resources: ["replicasets"]
  verbs: ["get"] 
- apiGroups: ["coordination.k8s.io"]
  resources: ["leases"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["authorization.k8s.io"]
  resources: ["subjectaccessreviews"]
  verbs: ["get", "create"]
# Allow controller to manage managedclusters/placements/placementdecisions
- apiGroups: ["cluster.open-cluster-management.io"]
  resources: ["managedclusters", "placements", "placementdecisions"]
  verbs: ["get", "list", "watch"]
# Allow controller to manage managedclusteraddons/clustermanagementaddons/addontemplates/addondeploymentconfigs
- apiGroups: ["addon.open-cluster-management.io"]
  resources: ["managedclusteraddons/finalizers"]
  verbs: ["update"]
- apiGroups: [ "addon.open-cluster-management.io" ]
  resources: [ "clustermanagementaddons/finalizers" ]
  verbs: [ "update" ]
- apiGroups: [ "addon.open-cluster-management.io" ]
  resources: [ "clustermanagementaddons/status" ]
  verbs: ["update", "patch"]
- apiGroups: ["addon.open-cluster-management.io"]
  resources: ["clustermanagementaddons"]
  verbs: ["patch", "get", "list", "watch"]
- apiGroups: ["addon.open-cluster-management.io"]
  resources: ["managedclusteraddons"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: ["addon.open-cluster-management.io"]
  resources: ["managedclusteraddons/status"]
  verbs: ["update", "patch"]
- apiGroups: ["addon.open-cluster-management.io"]
  resources: ["addontemplates", "addondeploymentconfigs"]
  verbs: ["get", "list", "watch"]
# Allow controller to manage manifestworks
- apiGroups: ["work.open-cluster-management.io"]
  resources: ["manifestworks"]
  verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
# addon template controller needs these permissions to approve CSR and sign CA
- apiGroups: ["certificates.k8s.io"]
  resources: ["certificatesigningrequests"]
  verbs: ["create", "get", "list", "watch"]
- apiGroups: ["certificates.k8s.io"]
  resources: ["certificatesigningrequests/approval", "certificatesigningrequests/status"]
  verbs: ["update"]
- apiGroups: ["certificates.k8s.io"]
  resources: ["signers"]
  verbs: ["approve", "sign"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["rolebindings"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]