github/open-cluster-management
1
0
Fork 0
mirror of https://github.com/open-cluster-management-io/ocm.git synced 2026-05-19 23:57:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7bc76ce2df367fb8f98bb23913d01a1ed8bc98ce
open-cluster-management/deploy/hub/hub_controller_clusterrole.yaml
Yang Le 74f73db584 Add controller for ManagedClusterSet
2020-08-26 15:03:38 +08:00

53 lines
2.3 KiB
YAML
Raw Blame History

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: open-cluster-management:hub
rules:
# Allow hub to monitor and update status of csr
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
verbs: ["create", "get", "list", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/status"]
verbs: ["update"]
# Allow hub to get/list/watch/create/delete namespace and service account
- apiGroups: [""]
resources: ["namespaces", "serviceaccounts", "configmaps", "events"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
# Allow hub to manage clusterrole/clusterrolebinding/role/rolebinding
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Allow hub to manage coordination.k8s.io/lease
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
# Allow hub to manage managedclusters
- apiGroups: ["cluster.open-cluster-management.io"]
resources: ["managedclusters"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["cluster.open-cluster-management.io"]
resources: ["managedclusters/status"]
verbs: ["update", "patch"]
- apiGroups: ["work.open-cluster-management.io"]
resources: ["manifestworks"]
verbs: ["get", "list", "watch", "update", "patch", "delete"]
- apiGroups: ["register.open-cluster-management.io"]
resources: ["managedclusters/clientcertificates"]
verbs: ["renew"]
- apiGroups: ["register.open-cluster-management.io"]
resources: ["managedclusters/accept"]
verbs: ["update"]
# Allow hub to approve certificates that are signed by kubernetes.io/kube-apiserver-client (kube1.18.3+ needs)
- apiGroups: ["certificates.k8s.io"]
resources: ["signers"]
resourceNames: ["kubernetes.io/kube-apiserver-client"]
verbs: ["approve"]
# Allow hub to manage managedclustersets
- apiGroups: ["cluster.open-cluster-management.io"]
resources: ["managedclustersets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["cluster.open-cluster-management.io"]
resources: ["managedclustersets/status"]
verbs: ["update", "patch"]
Reference in New Issue View Git Blame Copy Permalink