diff --git a/pkg/cmd/server/bootstrappolicy/all_test.go b/pkg/cmd/server/bootstrappolicy/all_test.go index 7f36dafebded..8b58fa700d54 100644 --- a/pkg/cmd/server/bootstrappolicy/all_test.go +++ b/pkg/cmd/server/bootstrappolicy/all_test.go @@ -16,9 +16,10 @@ const osClusterRoleAggregationPrefix = "system:openshift:" // this map must be manually kept up to date as we make changes to aggregation // we hard code this data with no constants because we cannot change the underlying values var expectedAggregationMap = map[string]sets.String{ - "admin": sets.NewString("system:openshift:aggregate-to-admin", "system:aggregate-to-admin"), - "edit": sets.NewString("system:openshift:aggregate-to-edit", "system:aggregate-to-edit"), - "view": sets.NewString("system:openshift:aggregate-to-view", "system:aggregate-to-view"), + "admin": sets.NewString("system:openshift:aggregate-to-admin", "system:aggregate-to-admin"), + "edit": sets.NewString("system:openshift:aggregate-to-edit", "system:aggregate-to-edit"), + "view": sets.NewString("system:openshift:aggregate-to-view", "system:aggregate-to-view"), + "cluster-reader": sets.NewString("system:openshift:aggregate-to-view", "system:aggregate-to-view", "system:openshift:aggregate-to-cluster-reader"), } func TestPolicyAggregation(t *testing.T) { diff --git a/pkg/cmd/server/bootstrappolicy/constants.go b/pkg/cmd/server/bootstrappolicy/constants.go index 548dc5a7f88a..bdbb3ff7d870 100644 --- a/pkg/cmd/server/bootstrappolicy/constants.go +++ b/pkg/cmd/server/bootstrappolicy/constants.go @@ -53,22 +53,23 @@ const ( // Roles const ( - ClusterAdminRoleName = "cluster-admin" - SudoerRoleName = "sudoer" - ScopeImpersonationRoleName = "system:scope-impersonation" - ClusterReaderRoleName = "cluster-reader" - StorageAdminRoleName = "storage-admin" - ClusterDebuggerRoleName = "cluster-debugger" - AdminRoleName = "admin" - EditRoleName = "edit" - ViewRoleName = "view" - AggregatedAdminRoleName = "system:openshift:aggregate-to-admin" - AggregatedEditRoleName = "system:openshift:aggregate-to-edit" - AggregatedViewRoleName = "system:openshift:aggregate-to-view" - SelfProvisionerRoleName = "self-provisioner" - BasicUserRoleName = "basic-user" - StatusCheckerRoleName = "cluster-status" - SelfAccessReviewerRoleName = "self-access-reviewer" + ClusterAdminRoleName = "cluster-admin" + SudoerRoleName = "sudoer" + ScopeImpersonationRoleName = "system:scope-impersonation" + ClusterReaderRoleName = "cluster-reader" + StorageAdminRoleName = "storage-admin" + ClusterDebuggerRoleName = "cluster-debugger" + AdminRoleName = "admin" + EditRoleName = "edit" + ViewRoleName = "view" + AggregatedAdminRoleName = "system:openshift:aggregate-to-admin" + AggregatedEditRoleName = "system:openshift:aggregate-to-edit" + AggregatedViewRoleName = "system:openshift:aggregate-to-view" + AggregatedClusterReaderRoleName = "system:openshift:aggregate-to-cluster-reader" + SelfProvisionerRoleName = "self-provisioner" + BasicUserRoleName = "basic-user" + StatusCheckerRoleName = "cluster-status" + SelfAccessReviewerRoleName = "self-access-reviewer" RegistryAdminRoleName = "registry-admin" RegistryViewerRoleName = "registry-viewer" diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go index 02c8044cc3ce..4c3b5ca0efed 100644 --- a/pkg/cmd/server/bootstrappolicy/policy.go +++ b/pkg/cmd/server/bootstrappolicy/policy.go @@ -135,35 +135,46 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole { ObjectMeta: metav1.ObjectMeta{ Name: ClusterReaderRoleName, }, + AggregationRule: &rbacv1.AggregationRule{ + ClusterRoleSelectors: []metav1.LabelSelector{ + { + MatchLabels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"}, + }, + { + MatchLabels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-view": "true"}, + }, + }, + }, + }, + { + ObjectMeta: metav1.ObjectMeta{ + Name: AggregatedClusterReaderRoleName, + Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"}, + }, Rules: []rbacv1.PolicyRule{ - rbacv1helpers.NewRule(read...).Groups(kapiGroup).Resources("bindings", "componentstatuses", "configmaps", "endpoints", "events", "limitranges", - "namespaces", "namespaces/status", "nodes", "nodes/status", "persistentvolumeclaims", "persistentvolumeclaims/status", "persistentvolumes", - "persistentvolumes/status", "pods", "pods/binding", "pods/eviction", "pods/log", "pods/status", "podtemplates", "replicationcontrollers", "replicationcontrollers/scale", - "replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "securitycontextconstraints", "serviceaccounts", "services", - "services/status").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(kapiGroup).Resources("componentstatuses", "nodes", "nodes/status", "persistentvolumeclaims/status", "persistentvolumes", + "persistentvolumes/status", "pods/binding", "pods/eviction", "podtemplates", "securitycontextconstraints", "services/status").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(admissionRegistrationGroup).Resources("mutatingwebhookconfigurations", "validatingwebhookconfigurations").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(appsGroup).Resources("statefulsets", "statefulsets/scale", "statefulsets/status", "deployments", "deployments/scale", "deployments/status", "controllerrevisions", "daemonsets", "daemonsets/status", "replicasets", "replicasets/status", "replicasets/scale").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(appsGroup).Resources("statefulsets/status", "deployments/status", "controllerrevisions", "daemonsets/status", + "replicasets/status").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(apiExtensionsGroup).Resources("customresourcedefinitions", "customresourcedefinitions/status").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(apiRegistrationGroup).Resources("apiservices", "apiservices/status").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers", "horizontalpodautoscalers/status").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers/status").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(batchGroup).Resources("jobs", "jobs/status", "cronjobs", "cronjobs/status").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(batchGroup).Resources("jobs/status", "cronjobs/status").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(extensionsGroup).Resources("daemonsets", "daemonsets/status", "deployments", "deployments/scale", - "deployments/status", "horizontalpodautoscalers", "horizontalpodautoscalers/status", "ingresses", "ingresses/status", "jobs", "jobs/status", - "networkpolicies", "podsecuritypolicies", "replicasets", "replicasets/scale", "replicasets/status", "replicationcontrollers", - "replicationcontrollers/scale", "storageclasses", "thirdpartyresources").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(extensionsGroup).Resources("daemonsets/status", "deployments/status", "horizontalpodautoscalers", + "horizontalpodautoscalers/status", "ingresses/status", "jobs", "jobs/status", "podsecuritypolicies", "replicasets/status", "replicationcontrollers", + "storageclasses", "thirdpartyresources").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(eventsGroup).Resources("events").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(networkingGroup).Resources("networkpolicies").RuleOrDie(), - - rbacv1helpers.NewRule(read...).Groups(policyGroup).Resources("podsecuritypolicies", "poddisruptionbudgets", "poddisruptionbudgets/status").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(policyGroup).Resources("podsecuritypolicies", "poddisruptionbudgets/status").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(rbacGroup).Resources("roles", "rolebindings", "clusterroles", "clusterrolebindings").RuleOrDie(), @@ -173,45 +184,46 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole { rbacv1helpers.NewRule(read...).Groups(schedulingGroup).Resources("priorityclasses").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(certificatesGroup).Resources("certificatesigningrequests", "certificatesigningrequests/approval", "certificatesigningrequests/status").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(certificatesGroup).Resources("certificatesigningrequests", "certificatesigningrequests/approval", + "certificatesigningrequests/status").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(authzGroup, legacyAuthzGroup).Resources("clusterroles", "clusterrolebindings", "roles", "rolebindings", "rolebindingrestrictions").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(authzGroup, legacyAuthzGroup).Resources("clusterroles", "clusterrolebindings", "roles", "rolebindings", + "rolebindingrestrictions").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds", "builds/details", "buildconfigs", "buildconfigs/webhooks", "builds/log").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("builds/details").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs", "deploymentconfigs/scale", "deploymentconfigs/log", - "deploymentconfigs/status").RuleOrDie(), - - rbacv1helpers.NewRule(read...).Groups(imageGroup, legacyImageGroup).Resources("images", "imagesignatures", "imagestreams", "imagestreamtags", "imagestreamimages", - "imagestreams/status").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(imageGroup, legacyImageGroup).Resources("images", "imagesignatures").RuleOrDie(), // pull images rbacv1helpers.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagestreams/layers").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(oauthGroup, legacyOauthGroup).Resources("oauthclientauthorizations").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(projectGroup, legacyProjectGroup).Resources("projectrequests", "projects").RuleOrDie(), + // "get" comes in from aggregate-to-view role + rbacv1helpers.NewRule("list", "watch").Groups(projectGroup, legacyProjectGroup).Resources("projects").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(quotaGroup, legacyQuotaGroup).Resources("appliedclusterresourcequotas", "clusterresourcequotas", "clusterresourcequotas/status").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(projectGroup, legacyProjectGroup).Resources("projectrequests").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(routeGroup, legacyRouteGroup).Resources("routes", "routes/status").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(quotaGroup, legacyQuotaGroup).Resources("clusterresourcequotas", "clusterresourcequotas/status").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(networkGroup, legacyNetworkGroup).Resources("clusternetworks", "egressnetworkpolicies", "hostsubnets", "netnamespaces").RuleOrDie(), + rbacv1helpers.NewRule(read...).Groups(networkGroup, legacyNetworkGroup).Resources("clusternetworks", "egressnetworkpolicies", "hostsubnets", + "netnamespaces").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(securityGroup, legacySecurityGroup).Resources("securitycontextconstraints").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(securityGroup).Resources("rangeallocations").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(templateGroup, legacyTemplateGroup).Resources("templates", "templateconfigs", "processedtemplates", "templateinstances").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(templateGroup, legacyTemplateGroup).Resources("brokertemplateinstances", "templateinstances/status").RuleOrDie(), rbacv1helpers.NewRule(read...).Groups(userGroup, legacyUserGroup).Resources("groups", "identities", "useridentitymappings", "users").RuleOrDie(), // permissions to check access. These creates are non-mutating - rbacv1helpers.NewRule("create").Groups(authzGroup, legacyAuthzGroup).Resources("localresourceaccessreviews", "localsubjectaccessreviews", "resourceaccessreviews", - "selfsubjectrulesreviews", "subjectrulesreviews", "subjectaccessreviews").RuleOrDie(), - rbacv1helpers.NewRule("create").Groups(kAuthzGroup).Resources("selfsubjectaccessreviews", "subjectaccessreviews", "selfsubjectrulesreviews", "localsubjectaccessreviews").RuleOrDie(), + rbacv1helpers.NewRule("create").Groups(authzGroup, legacyAuthzGroup).Resources("localresourceaccessreviews", "localsubjectaccessreviews", + "resourceaccessreviews", "selfsubjectrulesreviews", "subjectrulesreviews", "subjectaccessreviews").RuleOrDie(), + rbacv1helpers.NewRule("create").Groups(kAuthzGroup).Resources("selfsubjectaccessreviews", "subjectaccessreviews", "selfsubjectrulesreviews", + "localsubjectaccessreviews").RuleOrDie(), rbacv1helpers.NewRule("create").Groups(kAuthnGroup).Resources("tokenreviews").RuleOrDie(), // permissions to check PSP, these creates are non-mutating - rbacv1helpers.NewRule("create").Groups(securityGroup, legacySecurityGroup).Resources("podsecuritypolicysubjectreviews", "podsecuritypolicyselfsubjectreviews", "podsecuritypolicyreviews").RuleOrDie(), + rbacv1helpers.NewRule("create").Groups(securityGroup, legacySecurityGroup).Resources("podsecuritypolicysubjectreviews", + "podsecuritypolicyselfsubjectreviews", "podsecuritypolicyreviews").RuleOrDie(), // Allow read access to node metrics rbacv1helpers.NewRule("get").Groups(kapiGroup).Resources("nodes/"+NodeMetricsSubresource, "nodes/"+NodeSpecSubresource).RuleOrDie(), // Allow read access to stats @@ -219,10 +231,6 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole { rbacv1helpers.NewRule("get", "create").Groups(kapiGroup).Resources("nodes/" + NodeStatsSubresource).RuleOrDie(), rbacv1helpers.NewRule("get").URLs(rbac.NonResourceAll).RuleOrDie(), - - // backwards compatibility - rbacv1helpers.NewRule(read...).Groups(buildGroup, legacyBuildGroup).Resources("buildlogs").RuleOrDie(), - rbacv1helpers.NewRule(read...).Groups(kapiGroup).Resources("resourcequotausages").RuleOrDie(), }, }, { @@ -1014,8 +1022,9 @@ func GetBootstrapNamespaceRoleBindings() map[string][]rbacv1.RoleBinding { func GetBootstrapClusterRolesToAggregate() map[string]string { return map[string]string{ - AdminRoleName: AggregatedAdminRoleName, - EditRoleName: AggregatedEditRoleName, - ViewRoleName: AggregatedViewRoleName, + AdminRoleName: AggregatedAdminRoleName, + EditRoleName: AggregatedEditRoleName, + ViewRoleName: AggregatedViewRoleName, + ClusterReaderRoleName: AggregatedClusterReaderRoleName, } } diff --git a/pkg/cmd/server/bootstrappolicy/web_console_role_test.go b/pkg/cmd/server/bootstrappolicy/web_console_role_test.go index 0416f90c131e..63f0b1583407 100644 --- a/pkg/cmd/server/bootstrappolicy/web_console_role_test.go +++ b/pkg/cmd/server/bootstrappolicy/web_console_role_test.go @@ -65,6 +65,7 @@ var rolesToHide = sets.NewString( "system:openshift:aggregate-to-admin", "system:openshift:aggregate-to-edit", "system:openshift:aggregate-to-view", + "system:openshift:aggregate-to-cluster-reader", "system:kubelet-api-admin", "system:volume-scheduler", ) diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml index d4c2f5605a56..2a2d7c6611d0 100644 --- a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml @@ -66,7 +66,13 @@ items: - userextras/scopes.authorization.openshift.io verbs: - impersonate -- apiVersion: rbac.authorization.k8s.io/v1 +- aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: @@ -74,38 +80,31 @@ items: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null name: cluster-reader + rules: null +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + authorization.openshift.io/system-only: "true" + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" + name: system:openshift:aggregate-to-cluster-reader rules: - apiGroups: - "" resources: - - bindings - componentstatuses - - configmaps - - endpoints - - events - - limitranges - - namespaces - - namespaces/status - nodes - nodes/status - - persistentvolumeclaims - persistentvolumeclaims/status - persistentvolumes - persistentvolumes/status - - pods - pods/binding - pods/eviction - - pods/log - - pods/status - podtemplates - - replicationcontrollers - - replicationcontrollers/scale - - replicationcontrollers/status - - resourcequotas - - resourcequotas/status - securitycontextconstraints - - serviceaccounts - - services - services/status verbs: - get @@ -124,16 +123,9 @@ items: - apps resources: - controllerrevisions - - daemonsets - daemonsets/status - - deployments - - deployments/scale - deployments/status - - replicasets - - replicasets/scale - replicasets/status - - statefulsets - - statefulsets/scale - statefulsets/status verbs: - get @@ -160,7 +152,6 @@ items: - apiGroups: - autoscaling resources: - - horizontalpodautoscalers - horizontalpodautoscalers/status verbs: - get @@ -169,9 +160,7 @@ items: - apiGroups: - batch resources: - - cronjobs - cronjobs/status - - jobs - jobs/status verbs: - get @@ -180,24 +169,16 @@ items: - apiGroups: - extensions resources: - - daemonsets - daemonsets/status - - deployments - - deployments/scale - deployments/status - horizontalpodautoscalers - horizontalpodautoscalers/status - - ingresses - ingresses/status - jobs - jobs/status - - networkpolicies - podsecuritypolicies - - replicasets - - replicasets/scale - replicasets/status - replicationcontrollers - - replicationcontrollers/scale - storageclasses - thirdpartyresources verbs: @@ -212,18 +193,9 @@ items: - get - list - watch - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch - apiGroups: - policy resources: - - poddisruptionbudgets - poddisruptionbudgets/status - podsecuritypolicies verbs: @@ -293,23 +265,7 @@ items: - "" - build.openshift.io resources: - - buildconfigs - - buildconfigs/webhooks - - builds - builds/details - - builds/log - verbs: - - get - - list - - watch - - apiGroups: - - "" - - apps.openshift.io - resources: - - deploymentconfigs - - deploymentconfigs/log - - deploymentconfigs/scale - - deploymentconfigs/status verbs: - get - list @@ -320,10 +276,6 @@ items: resources: - images - imagesignatures - - imagestreamimages - - imagestreams - - imagestreams/status - - imagestreamtags verbs: - get - list @@ -348,29 +300,25 @@ items: - "" - project.openshift.io resources: - - projectrequests - projects verbs: - - get - list - watch - apiGroups: - "" - - quota.openshift.io + - project.openshift.io resources: - - appliedclusterresourcequotas - - clusterresourcequotas - - clusterresourcequotas/status + - projectrequests verbs: - get - list - watch - apiGroups: - "" - - route.openshift.io + - quota.openshift.io resources: - - routes - - routes/status + - clusterresourcequotas + - clusterresourcequotas/status verbs: - get - list @@ -404,18 +352,6 @@ items: - get - list - watch - - apiGroups: - - "" - - template.openshift.io - resources: - - processedtemplates - - templateconfigs - - templateinstances - - templates - verbs: - - get - - list - - watch - apiGroups: - "" - template.openshift.io @@ -492,23 +428,6 @@ items: - '*' verbs: - get - - apiGroups: - - "" - - build.openshift.io - resources: - - buildlogs - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - resourcequotausages - verbs: - - get - - list - - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml b/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml index 44f6bd4f6121..99d12c594035 100644 --- a/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml @@ -66,7 +66,13 @@ items: - userextras/scopes.authorization.openshift.io verbs: - impersonate -- apiVersion: rbac.authorization.k8s.io/v1 +- aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: @@ -74,38 +80,31 @@ items: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null name: cluster-reader + rules: null +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + authorization.openshift.io/system-only: "true" + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" + name: system:openshift:aggregate-to-cluster-reader rules: - apiGroups: - "" resources: - - bindings - componentstatuses - - configmaps - - endpoints - - events - - limitranges - - namespaces - - namespaces/status - nodes - nodes/status - - persistentvolumeclaims - persistentvolumeclaims/status - persistentvolumes - persistentvolumes/status - - pods - pods/binding - pods/eviction - - pods/log - - pods/status - podtemplates - - replicationcontrollers - - replicationcontrollers/scale - - replicationcontrollers/status - - resourcequotas - - resourcequotas/status - securitycontextconstraints - - serviceaccounts - - services - services/status verbs: - get @@ -124,16 +123,9 @@ items: - apps resources: - controllerrevisions - - daemonsets - daemonsets/status - - deployments - - deployments/scale - deployments/status - - replicasets - - replicasets/scale - replicasets/status - - statefulsets - - statefulsets/scale - statefulsets/status verbs: - get @@ -160,7 +152,6 @@ items: - apiGroups: - autoscaling resources: - - horizontalpodautoscalers - horizontalpodautoscalers/status verbs: - get @@ -169,9 +160,7 @@ items: - apiGroups: - batch resources: - - cronjobs - cronjobs/status - - jobs - jobs/status verbs: - get @@ -180,24 +169,16 @@ items: - apiGroups: - extensions resources: - - daemonsets - daemonsets/status - - deployments - - deployments/scale - deployments/status - horizontalpodautoscalers - horizontalpodautoscalers/status - - ingresses - ingresses/status - jobs - jobs/status - - networkpolicies - podsecuritypolicies - - replicasets - - replicasets/scale - replicasets/status - replicationcontrollers - - replicationcontrollers/scale - storageclasses - thirdpartyresources verbs: @@ -212,18 +193,9 @@ items: - get - list - watch - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch - apiGroups: - policy resources: - - poddisruptionbudgets - poddisruptionbudgets/status - podsecuritypolicies verbs: @@ -293,23 +265,7 @@ items: - "" - build.openshift.io resources: - - buildconfigs - - buildconfigs/webhooks - - builds - builds/details - - builds/log - verbs: - - get - - list - - watch - - apiGroups: - - "" - - apps.openshift.io - resources: - - deploymentconfigs - - deploymentconfigs/log - - deploymentconfigs/scale - - deploymentconfigs/status verbs: - get - list @@ -320,10 +276,6 @@ items: resources: - images - imagesignatures - - imagestreamimages - - imagestreams - - imagestreams/status - - imagestreamtags verbs: - get - list @@ -348,29 +300,25 @@ items: - "" - project.openshift.io resources: - - projectrequests - projects verbs: - - get - list - watch - apiGroups: - "" - - quota.openshift.io + - project.openshift.io resources: - - appliedclusterresourcequotas - - clusterresourcequotas - - clusterresourcequotas/status + - projectrequests verbs: - get - list - watch - apiGroups: - "" - - route.openshift.io + - quota.openshift.io resources: - - routes - - routes/status + - clusterresourcequotas + - clusterresourcequotas/status verbs: - get - list @@ -404,18 +352,6 @@ items: - get - list - watch - - apiGroups: - - "" - - template.openshift.io - resources: - - processedtemplates - - templateconfigs - - templateinstances - - templates - verbs: - - get - - list - - watch - apiGroups: - "" - template.openshift.io @@ -492,23 +428,6 @@ items: - '*' verbs: - get - - apiGroups: - - "" - - build.openshift.io - resources: - - buildlogs - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - resourcequotausages - verbs: - - get - - list - - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: