fix CA

Signed-off-by: Monis Khan <[email protected]>

pkg/cmd/server/bootstrappolicy/policy.go

@@ -100,7 +100,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 			ObjectMeta: kapi.ObjectMeta{
 				Name: ClusterAdminRoleName,
 				Annotations: map[string]string{
-					oapi.OpenShiftDescription: "A super-user that can perform any action in the cluster. When granted to a user within a project, they have full control over quota and roles and every action on every resource in the project.",
+					oapi.OpenShiftDescription: "A super-user that can perform any action in the cluster. When granted to a user within a project, they have full control over quota and membership and can perform every action on every resource in the project.",
 					roleSystemOnly:            roleIsSystemOnly,
 				},
 			},

test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml

@@ -6,8 +6,8 @@ items:
     annotations:
       authorization.openshift.io/system-only: "true"
       openshift.io/description: A super-user that can perform any action in the cluster.
-        When granted to a user within a local policy, they have full control over
-        quota and roles and every action on every resource in the project.
+        When granted to a user within a project, they have full control over quota
+        and membership and can perform every action on every resource in the project.
     creationTimestamp: null
     name: cluster-admin
   rules:
@@ -496,11 +496,8 @@ items:
   kind: ClusterRole
   metadata:
     annotations:
-      openshift.io/description: A project manager. If used in a local binding, an
-        admin user will have rights to view any resource in the project and modify
-        any resource in the project except for role creation and quota. If the cluster-admin
-        wants to allow an admin to modify roles, the cluster-admin must create a project-scoped
-        Policy object.
+      openshift.io/description: A user that has edit rights within the project and
+        can change the project's membership.
     creationTimestamp: null
     name: admin
   rules:
@@ -908,8 +905,8 @@ items:
   kind: ClusterRole
   metadata:
     annotations:
-      openshift.io/description: A user that can modify most objects in a project,
-        but does not have the power to view or modify roles or bindings.
+      openshift.io/description: A user that can create and edit most objects in a
+        project, but can not update the project's membership.
     creationTimestamp: null
     name: edit
   rules:
@@ -1254,9 +1251,8 @@ items:
   kind: ClusterRole
   metadata:
     annotations:
-      openshift.io/description: A user who cannot make any modifications, but can
-        see most objects in a project. They cannot view or modify roles or bindings
-        or secrets.
+      openshift.io/description: A user who can view but not edit any resources within
+        the project. They can not view secrets or membership.
     creationTimestamp: null
     name: view
   rules:
@@ -1639,6 +1635,8 @@ items:
 - apiVersion: v1
   kind: ClusterRole
   metadata:
+    annotations:
+      openshift.io/description: Grants the right to pull images from within a project.
     creationTimestamp: null
     name: system:image-puller
   rules:
@@ -1652,6 +1650,9 @@ items:
 - apiVersion: v1
   kind: ClusterRole
   metadata:
+    annotations:
+      openshift.io/description: Grants the right to push and pull images from within
+        a project.
     creationTimestamp: null
     name: system:image-pusher
   rules:
@@ -1666,6 +1667,9 @@ items:
 - apiVersion: v1
   kind: ClusterRole
   metadata:
+    annotations:
+      openshift.io/description: Grants the right to build, push and pull images from
+        within a project.  Used primarily with service accounts for builds.
     creationTimestamp: null
     name: system:image-builder
   rules:
@@ -1789,6 +1793,9 @@ items:
 - apiVersion: v1
   kind: ClusterRole
   metadata:
+    annotations:
+      openshift.io/description: Grants the right to deploy within a project.  Used
+        primarily with service accounts for automated deployments.
     creationTimestamp: null
     name: system:deployer
   rules: