open-cluster-management/manifests/cluster-manager/hub/registration/clusterrole.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: open-cluster-management:{{ .ClusterManagerName }}-registration:controller
  labels:
    {{ if gt (len .Labels) 0 }}
    {{ range $key, $value := .Labels }}
    "{{ $key }}": "{{ $value }}"
    {{ end }}
    {{ end }}
rules:
# Allow hub to monitor and update status of csr
- apiGroups: ["certificates.k8s.io"]
  resources: ["certificatesigningrequests"]
  verbs: ["create", "get", "list", "watch"]
- apiGroups: ["certificates.k8s.io"]
  resources: ["certificatesigningrequests/status", "certificatesigningrequests/approval"]
  verbs: ["update"]
# Allow hub to get/list/watch/create/delete namespace and service account
- apiGroups: [""]
  resources: ["namespaces", "serviceaccounts", "configmaps"]
  verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: [""]
  resources: ["serviceaccounts/token"]
  resourceNames:
    - "agent-registration-bootstrap"
  verbs: ["create"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get"]
- apiGroups: ["", "events.k8s.io"]
  resources: ["events"]
  verbs: ["create", "patch", "update"]
- apiGroups: ["apps"]
  resources: ["replicasets"]
  verbs: ["get"]   
- apiGroups: ["authorization.k8s.io"]
  resources: ["subjectaccessreviews"]
  verbs: ["create"]
# Allow hub to manage clusterrole/clusterrolebinding/role/rolebinding
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterrolebindings", "rolebindings"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles", "roles"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Allow hub to manage coordination.k8s.io/lease
- apiGroups: ["coordination.k8s.io"]
  resources: ["leases"]
  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
# Allow hub to manage managedclusters
- apiGroups: ["cluster.open-cluster-management.io"]
  resources: ["managedclusters"]
  verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["cluster.open-cluster-management.io"]
  resources: ["managedclusters/status"]
  verbs: ["update", "patch"]
# Allow hub to monitor manifestworks
- apiGroups: ["work.open-cluster-management.io"]
  resources: ["manifestworks"]
  verbs: ["get", "list", "watch","create", "update", "delete", "deletecollection", "patch", "execute-as"]
- apiGroups: [ "work.open-cluster-management.io" ]
  resources: [ "manifestworks/status" ]
  verbs: [ "patch", "update" ]  
# Allow hub to monitor manifestworkreplicasets
- apiGroups: ["work.open-cluster-management.io"]
  resources: ["manifestworkreplicasets"]
  verbs: ["get", "list", "watch", "update", "delete", "deletecollection", "patch"]
- apiGroups: ["work.open-cluster-management.io"]
  resources: ["manifestworkreplicasets/status"]
  verbs: ["update", "patch"]
- apiGroups: ["work.open-cluster-management.io"]
  resources: ["manifestworkreplicasets/finalizers"]
  verbs: ["update"]
# Allow hub to approve certificates that are signed by kubernetes.io/kube-apiserver-client (kube1.18.3+ needs)
- apiGroups: ["certificates.k8s.io"]
  resources: ["signers"]
  resourceNames: ["kubernetes.io/kube-apiserver-client"]
  verbs: ["approve"]
# Allow hub to manage managedclustersets
- apiGroups: ["cluster.open-cluster-management.io"]
  resources: ["managedclustersets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["cluster.open-cluster-management.io"]
  resources: ["managedclustersets/status"]
  verbs: ["update", "patch"]
# Allow hub to manage managedclustersetbindings
- apiGroups: ["cluster.open-cluster-management.io"]
  resources: ["managedclustersetbindings"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["cluster.open-cluster-management.io"]
  resources: ["managedclustersetbindings/status"]
  verbs: ["update", "patch"]
# Allow to access metrics API
- apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
  resources: ["subjectaccessreviews"]
  verbs: ["create"]
# Allow hub to manage managed cluster addons
- apiGroups: ["addon.open-cluster-management.io"]
  resources: ["managedclusteraddons"]
  verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["addon.open-cluster-management.io"]
  resources: ["managedclusteraddons/status"]
  verbs: ["patch", "update"]
- apiGroups: ["register.open-cluster-management.io"]
  resources: ["managedclusters/clientcertificates"]
  verbs: ["renew"]
- apiGroups: ["register.open-cluster-management.io"]
  resources: ["managedclusters/accept"]
  verbs: ["update"]
{{if .ClusterImporterEnabled}}
- apiGroups: ["cluster.x-k8s.io"]
  resources: ["clusters"]
  verbs: ["get", "list", "watch"]
  # Allow registration to render the klusterlet manifests from the cluster-import-config 
  # or the iimage-pull-credentials secret when import a CAPI cluster.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
  resourceNames:
    - "open-cluster-management-image-pull-credentials"
    - "cluster-import-config"
{{end}}
{{if .ClusterProfileEnabled}}
# Allow hub to manage clusterprofile
- apiGroups: ["multicluster.x-k8s.io"]
  resources: ["clusterprofiles"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["multicluster.x-k8s.io"]
  resources: ["clusterprofiles/status"]
  verbs: ["update", "patch"]
{{end}}
{{if .GRPCAuthEnabled}}
# Allow hub to approve/sign certificates that are signed by grpc
- apiGroups: ["certificates.k8s.io"]
  resources: ["signers"]
  resourceNames: ["open-cluster-management.io/grpc"]
  verbs: ["approve", "sign"]
{{end}}