origin
origin copied to clipboard
Published
20 hours ago •
openshift
openshift
Default ClusterRoles should add a label
[provide a description of the issue] Currently we want to create a cluster-admin-limited role with less privileges, for example we don't want to give them secrets access.
If we use aggregationRules we can't use them because there are several default roles that they don't have the kubernetes.io/bootstraping label or other label to filter.
One of those default roles are:
- registry-admin
- system:openshift:aggregate-to-admin ...
Version
Server Version: 4.14.33
Steps To Reproduce
- Create the following role:
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin-limited
annotations:
rbac.authorization.kubernetes.io/autoupdate: 'true'
rules:
- verbs:
- '*'
apiGroups:
- addons.managed.openshift.io
resources:
- addoninstances
- verbs:
- '*'
apiGroups:
- addons.managed.openshift.io
resources:
- addonoperators
- verbs:
- '*'
apiGroups:
- addons.managed.openshift.io
resources:
- addons
- verbs:
- create
- update
- patch
- delete
apiGroups:
- operators.coreos.com
resources:
- subscriptions
- verbs:
- delete
apiGroups:
- operators.coreos.com
resources:
- clusterserviceversions
- catalogsources
- installplans
- subscriptions
- verbs:
- get
- list
- watch
apiGroups:
- operators.coreos.com
resources:
- clusterserviceversions
- catalogsources
- installplans
- subscriptions
- operatorgroups
- verbs:
- get
- list
- watch
apiGroups:
- packages.operators.coreos.com
resources:
- packagemanifests
- packagemanifests/icon
- verbs:
- '*'
apiGroups:
- monitoring.rhobs
resources:
- alertmanagerconfigs
- verbs:
- '*'
apiGroups:
- monitoring.rhobs
resources:
- alertmanagers
- verbs:
- '*'
apiGroups:
- monitoring.openshift.io
resources:
- clusterurlmonitors
- verbs:
- '*'
apiGroups:
- costmanagement-metrics-cfg.openshift.io
resources:
- costmanagementmetricsconfigs
- verbs:
- '*'
apiGroups:
- managed.openshift.io
resources:
- customdomains
- verbs:
- create
- update
- patch
- delete
apiGroups:
- addons.managed.openshift.io
resources:
- addoninstances
- verbs:
- create
- update
- patch
- delete
apiGroups:
- addons.managed.openshift.io
resources:
- addonoperators
- verbs:
- create
- update
- patch
- delete
apiGroups:
- addons.managed.openshift.io
resources:
- addons
- verbs:
- create
- update
- patch
- delete
apiGroups:
- monitoring.rhobs
resources:
- alertmanagerconfigs
- verbs:
- create
- update
- patch
- delete
apiGroups:
- monitoring.rhobs
resources:
- alertmanagers
- verbs:
- create
- update
- patch
- delete
apiGroups:
- monitoring.openshift.io
resources:
- clusterurlmonitors
- verbs:
- create
- update
- patch
- delete
apiGroups:
- costmanagement-metrics-cfg.openshift.io
resources:
- costmanagementmetricsconfigs
- verbs:
- create
- update
- patch
- delete
apiGroups:
- managed.openshift.io
resources:
- customdomains
- verbs:
- create
- update
- patch
- delete
apiGroups:
- pipelines.openshift.io
resources:
- gitopsservices
- verbs:
- create
- update
- patch
- delete
apiGroups:
- ocmagent.managed.openshift.io
resources:
- managedfleetnotificationrecords
- verbs:
- create
- update
- patch
- delete
apiGroups:
- ocmagent.managed.openshift.io
resources:
- managedfleetnotifications
- verbs:
- create
- update
- patch
- delete
apiGroups:
- ocmagent.managed.openshift.io
resources:
- managednotifications
- verbs:
- create
- update
- patch
- delete
apiGroups:
- monitoring.rhobs
resources:
- monitoringstacks
- verbs:
- create
- update
- patch
- delete
apiGroups:
- managed.openshift.io
resources:
- mustgathers
- verbs:
- create
- update
- patch
- delete
apiGroups:
- ocmagent.managed.openshift.io
resources:
- ocmagents
- verbs:
- create
- update
- patch
- delete
apiGroups:
- packages.operators.coreos.com
resources:
- packagemanifests
- verbs:
- create
- update
- patch
- delete
apiGroups:
- monitoring.rhobs
resources:
- podmonitors
- verbs:
- create
- update
- patch
- delete
apiGroups:
- monitoring.rhobs
resources:
- probes
- verbs:
- get
- list
- update
- create
- watch
- patch
- delete
apiGroups:
- helm.openshift.io
resources:
- projecthelmchartrepositories
- verbs:
- create
- update
- patch
- delete
apiGroups:
- monitoring.rhobs
resources:
- prometheusagents
- verbs:
- create
- update
- patch
- delete
apiGroups:
- monitoring.rhobs
resources:
- prometheuses
- verbs:
- create
- update
- patch
- delete
apiGroups:
- monitoring.rhobs
resources:
- prometheusrules
- verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
apiGroups:
- ''
resources:
- serviceaccounts
- verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
apiGroups:
- ''
- image.openshift.io
resources:
- imagestreamimages
- imagestreammappings
- imagestreams
- imagestreams/secrets
- imagestreamtags
- imagetags
- verbs:
- create
apiGroups:
- ''
- image.openshift.io
resources:
- imagestreamimports
- verbs:
- get
- update
apiGroups:
- ''
- image.openshift.io
resources:
- imagestreams/layers
- verbs:
- get
apiGroups:
- ''
resources:
- namespaces
- verbs:
- get
apiGroups:
- ''
- project.openshift.io
resources:
- projects
- verbs:
- create
- update
- patch
- delete
apiGroups:
- monitoring.openshift.io
resources:
- routemonitors
- verbs:
- create
- update
- patch
- delete
apiGroups:
- monitoring.rhobs
resources:
- scrapeconfigs
- verbs:
- create
- update
- patch
- delete
apiGroups:
- monitoring.rhobs
resources:
- servicemonitors
- verbs:
- create
- update
- patch
- delete
apiGroups:
- splunkforwarder.managed.openshift.io
resources:
- splunkforwarders
- verbs:
- create
- update
- patch
- delete
apiGroups:
- managed.openshift.io
resources:
- subjectpermissions
- verbs:
- get
- list
- watch
apiGroups:
- ''
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- services/proxy
- verbs:
- list
apiGroups:
- ''
resources:
- secrets
- verbs:
- impersonate
apiGroups:
- ''
resources:
- serviceaccounts
- verbs:
- create
- delete
- deletecollection
- patch
- update
apiGroups:
- ''
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- verbs:
- create
apiGroups:
- ''
resources:
- pods/eviction
- verbs:
- create
- delete
- deletecollection
- patch
- update
apiGroups:
- ''
resources:
- configmaps
- endpoints
- events
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- services/proxy
- verbs:
- create
apiGroups:
- ''
resources:
- serviceaccounts/token
- verbs:
- create
- delete
- deletecollection
- patch
- update
apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
- verbs:
- create
- delete
- deletecollection
- patch
- update
apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
- verbs:
- create
- delete
- deletecollection
- patch
- update
apiGroups:
- batch
resources:
- cronjobs
- jobs
- verbs:
- create
- delete
- deletecollection
- patch
- update
apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
- verbs:
- create
- delete
- deletecollection
- patch
- update
apiGroups:
- policy
resources:
- poddisruptionbudgets
- verbs:
- create
- delete
- deletecollection
- patch
- update
apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
- verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
apiGroups:
- coordination.k8s.io
resources:
- leases
- verbs:
- get
- list
- watch
apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
- verbs:
- create
apiGroups:
- ''
- image.openshift.io
resources:
- imagestreams
- verbs:
- update
apiGroups:
- ''
- build.openshift.io
resources:
- builds/details
- verbs:
- get
apiGroups:
- ''
- build.openshift.io
resources:
- builds
- verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- deletecollection
apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
- verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
apiGroups:
- ''
- build.openshift.io
resources:
- buildconfigs
- buildconfigs/webhooks
- builds
- verbs:
- get
- list
- watch
apiGroups:
- ''
- build.openshift.io
resources:
- builds/log
- verbs:
- create
apiGroups:
- ''
- build.openshift.io
resources:
- buildconfigs/instantiate
- buildconfigs/instantiatebinary
- builds/clone
- verbs:
- edit
- view
apiGroups:
- build.openshift.io
resources:
- jenkins
- verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
apiGroups:
- ''
- apps.openshift.io
resources:
- deploymentconfigs
- deploymentconfigs/scale
- verbs:
- create
apiGroups:
- ''
- apps.openshift.io
resources:
- deploymentconfigrollbacks
- deploymentconfigs/instantiate
- deploymentconfigs/rollback
- verbs:
- get
- list
- watch
apiGroups:
- ''
- apps.openshift.io
resources:
- deploymentconfigs/log
- deploymentconfigs/status
- verbs:
- get
- list
- watch
apiGroups:
- ''
- image.openshift.io
resources:
- imagestreams/status
- verbs:
- get
- list
- watch
apiGroups:
- ''
- quota.openshift.io
resources:
- appliedclusterresourcequotas
- verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
apiGroups:
- ''
- route.openshift.io
resources:
- routes
- verbs:
- create
apiGroups:
- ''
- route.openshift.io
resources:
- routes/custom-host
- verbs:
- get
- list
- watch
apiGroups:
- ''
- route.openshift.io
resources:
- routes/status
- verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
apiGroups:
- ''
- template.openshift.io
resources:
- processedtemplates
- templateconfigs
- templateinstances
- templates
- verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
apiGroups:
- networking.k8s.io
resources:
- networkpolicies
- verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
apiGroups:
- ''
- build.openshift.io
resources:
- buildlogs
- verbs:
- get
- list
- watch
apiGroups:
- ''
resources:
- resourcequotausages
- verbs:
- create
- update
- patch
- delete
apiGroups:
- monitoring.rhobs
resources:
- thanosqueriers
- verbs:
- create
- update
- patch
- delete
apiGroups:
- monitoring.rhobs
resources:
- thanosrulers
- verbs:
- create
- update
- patch
- delete
apiGroups:
- observability.openshift.io
resources:
- uiplugins
- verbs:
- create
- update
- patch
- delete
apiGroups:
- upgrade.managed.openshift.io
resources:
- upgradeconfigs
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- addoninstances.addons.managed.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- addons.managed.openshift.io
resources:
- addoninstances
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- addonoperators.addons.managed.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- addons.managed.openshift.io
resources:
- addonoperators
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- addons.addons.managed.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- addons.managed.openshift.io
resources:
- addons
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- alertmanagerconfigs.monitoring.rhobs
- verbs:
- get
- list
- watch
apiGroups:
- monitoring.rhobs
resources:
- alertmanagerconfigs
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- alertmanagers.monitoring.rhobs
- verbs:
- get
- list
- watch
apiGroups:
- monitoring.rhobs
resources:
- alertmanagers
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- clusterurlmonitors.monitoring.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- monitoring.openshift.io
resources:
- clusterurlmonitors
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- costmanagementmetricsconfigs.costmanagement-metrics-cfg.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- costmanagement-metrics-cfg.openshift.io
resources:
- costmanagementmetricsconfigs
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- customdomains.managed.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- managed.openshift.io
resources:
- customdomains
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- gitopsservices.pipelines.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- pipelines.openshift.io
resources:
- gitopsservices
- verbs:
- get
- list
- watch
apiGroups:
- ocmagent.managed.openshift.io
resources:
- managedfleetnotificationrecords
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- managedfleetnotifications.ocmagent.managed.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- ocmagent.managed.openshift.io
resources:
- managedfleetnotifications
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- managednotifications.ocmagent.managed.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- ocmagent.managed.openshift.io
resources:
- managednotifications
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- monitoringstacks.monitoring.rhobs
- verbs:
- get
- list
- watch
apiGroups:
- monitoring.rhobs
resources:
- monitoringstacks
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- mustgathers.managed.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- managed.openshift.io
resources:
- mustgathers
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- ocmagents.ocmagent.managed.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- ocmagent.managed.openshift.io
resources:
- ocmagents
- verbs:
- get
- list
- watch
apiGroups:
- packages.operators.coreos.com
resources:
- packagemanifests
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- podmonitors.monitoring.rhobs
- verbs:
- get
- list
- watch
apiGroups:
- monitoring.rhobs
resources:
- podmonitors
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- probes.monitoring.rhobs
- verbs:
- get
- list
- watch
apiGroups:
- monitoring.rhobs
resources:
- probes
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- prometheusagents.monitoring.rhobs
- verbs:
- get
- list
- watch
apiGroups:
- monitoring.rhobs
resources:
- prometheusagents
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- prometheuses.monitoring.rhobs
- verbs:
- get
- list
- watch
apiGroups:
- monitoring.rhobs
resources:
- prometheuses
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- prometheusrules.monitoring.rhobs
- verbs:
- get
- list
- watch
apiGroups:
- monitoring.rhobs
resources:
- prometheusrules
- verbs:
- get
- list
- watch
apiGroups:
- ''
- image.openshift.io
resources:
- imagestreamimages
- imagestreammappings
- imagestreams
- imagestreamtags
- imagetags
- verbs:
- get
apiGroups:
- ''
- image.openshift.io
resources:
- imagestreams/layers
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- routemonitors.monitoring.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- monitoring.openshift.io
resources:
- routemonitors
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- scrapeconfigs.monitoring.rhobs
- verbs:
- get
- list
- watch
apiGroups:
- monitoring.rhobs
resources:
- scrapeconfigs
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- servicemonitors.monitoring.rhobs
- verbs:
- get
- list
- watch
apiGroups:
- monitoring.rhobs
resources:
- servicemonitors
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- splunkforwarders.splunkforwarder.managed.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- splunkforwarder.managed.openshift.io
resources:
- splunkforwarders
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- subjectpermissions.managed.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- managed.openshift.io
resources:
- subjectpermissions
- verbs:
- get
- list
- watch
apiGroups:
- ''
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- persistentvolumeclaims/status
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- services/status
- verbs:
- get
- list
- watch
apiGroups:
- ''
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
- verbs:
- get
- list
- watch
apiGroups:
- ''
resources:
- namespaces
- verbs:
- get
- list
- watch
apiGroups:
- discovery.k8s.io
resources:
- endpointslices
- verbs:
- get
- list
- watch
apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- replicasets
- replicasets/scale
- replicasets/status
- statefulsets
- statefulsets/scale
- statefulsets/status
- verbs:
- get
- list
- watch
apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
- horizontalpodautoscalers/status
- verbs:
- get
- list
- watch
apiGroups:
- batch
resources:
- cronjobs
- cronjobs/status
- jobs
- jobs/status
- verbs:
- get
- list
- watch
apiGroups:
- extensions
resources:
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- ingresses
- ingresses/status
- networkpolicies
- replicasets
- replicasets/scale
- replicasets/status
- replicationcontrollers/scale
- verbs:
- get
- list
- watch
apiGroups:
- policy
resources:
- poddisruptionbudgets
- poddisruptionbudgets/status
- verbs:
- get
- list
- watch
apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingresses/status
- networkpolicies
- verbs:
- get
- list
- watch
apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
- verbs:
- get
- list
- watch
apiGroups:
- ''
- build.openshift.io
resources:
- buildconfigs
- buildconfigs/webhooks
- builds
- verbs:
- view
apiGroups:
- build.openshift.io
resources:
- jenkins
- verbs:
- get
- list
- watch
apiGroups:
- ''
- apps.openshift.io
resources:
- deploymentconfigs
- deploymentconfigs/scale
- verbs:
- get
- list
- watch
apiGroups:
- ''
- route.openshift.io
resources:
- routes
- verbs:
- get
- list
- watch
apiGroups:
- ''
- template.openshift.io
resources:
- processedtemplates
- templateconfigs
- templateinstances
- templates
- verbs:
- get
- list
- watch
apiGroups:
- ''
- build.openshift.io
resources:
- buildlogs
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- thanosqueriers.monitoring.rhobs
- verbs:
- get
- list
- watch
apiGroups:
- monitoring.rhobs
resources:
- thanosqueriers
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- thanosrulers.monitoring.rhobs
- verbs:
- get
- list
- watch
apiGroups:
- monitoring.rhobs
resources:
- thanosrulers
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- uiplugins.observability.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- observability.openshift.io
resources:
- uiplugins
- verbs:
- get
apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- upgradeconfigs.upgrade.managed.openshift.io
- verbs:
- get
- list
- watch
apiGroups:
- upgrade.managed.openshift.io
resources:
- upgradeconfigs
- verbs:
- '*'
apiGroups:
- pipelines.openshift.io
resources:
- gitopsservices
- verbs:
- '*'
apiGroups:
- ocmagent.managed.openshift.io
resources:
- managedfleetnotificationrecords
- verbs:
- '*'
apiGroups:
- ocmagent.managed.openshift.io
resources:
- managedfleetnotifications
- verbs:
- '*'
apiGroups:
- ocmagent.managed.openshift.io
resources:
- managednotifications
- verbs:
- '*'
apiGroups:
- monitoring.rhobs
resources:
- monitoringstacks
- verbs:
- '*'
apiGroups:
- managed.openshift.io
resources:
- mustgathers
- verbs:
- watch
- list
- get
apiGroups:
- k8s.cni.cncf.io
resources:
- network-attachment-definitions
- verbs:
- '*'
apiGroups:
- ocmagent.managed.openshift.io
resources:
- ocmagents
- verbs:
- '*'
apiGroups:
- packages.operators.coreos.com
resources:
- packagemanifests
- verbs:
- '*'
apiGroups:
- monitoring.rhobs
resources:
- podmonitors
- verbs:
- '*'
apiGroups:
- monitoring.rhobs
resources:
- probes
- verbs:
- '*'
apiGroups:
- monitoring.rhobs
resources:
- prometheusagents
- verbs:
- '*'
apiGroups:
- monitoring.rhobs
resources:
- prometheuses
- verbs:
- '*'
apiGroups:
- monitoring.rhobs
resources:
- prometheusrules
- verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
apiGroups:
- ''
- authorization.openshift.io
resources:
- rolebindings
- roles
- verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
- verbs:
- create
apiGroups:
- ''
- authorization.openshift.io
resources:
- localresourceaccessreviews
- localsubjectaccessreviews
- subjectrulesreviews
- verbs:
- create
apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
- verbs:
- delete
- get
apiGroups:
- ''
- project.openshift.io
resources:
- projects
- verbs:
- create
apiGroups:
- ''
- authorization.openshift.io
resources:
- resourceaccessreviews
- subjectaccessreviews
- verbs:
- '*'
apiGroups:
- monitoring.openshift.io
resources:
- routemonitors
- verbs:
- '*'
apiGroups:
- monitoring.rhobs
resources:
- scrapeconfigs
- verbs:
- '*'
apiGroups:
- monitoring.rhobs
resources:
- servicemonitors
- verbs:
- '*'
apiGroups:
- splunkforwarder.managed.openshift.io
resources:
- splunkforwarders
- verbs:
- '*'
apiGroups:
- managed.openshift.io
resources:
- subjectpermissions
- verbs:
- create
apiGroups:
- ''
- security.openshift.io
resources:
- podsecuritypolicyreviews
- podsecuritypolicyselfsubjectreviews
- podsecuritypolicysubjectreviews
- verbs:
- get
- list
- watch
apiGroups:
- ''
- authorization.openshift.io
resources:
- rolebindingrestrictions
- verbs:
- admin
- edit
- view
apiGroups:
- build.openshift.io
resources:
- jenkins
- verbs:
- delete
- get
- patch
- update
apiGroups:
- ''
- project.openshift.io
resources:
- projects
- verbs:
- update
apiGroups:
- ''
- route.openshift.io
resources:
- routes/status
- verbs:
- '*'
apiGroups:
- monitoring.rhobs
resources:
- thanosqueriers
- verbs:
- '*'
apiGroups:
- monitoring.rhobs
resources:
- thanosrulers
- verbs:
- '*'
apiGroups:
- observability.openshift.io
resources:
- uiplugins
- verbs:
- '*'
apiGroups:
- upgrade.managed.openshift.io
resources:
- upgradeconfigs
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-admin: 'true'
- matchExpressions:
- { key: kubernetes.io/bootstrapping, operator: NotIn, values: [rbac-defaults] }
- See how the new role only has secret list permissions
- When aggregates the permissions adds the secrets, delete, create,... from regsitry-admin role.
Current Result
Expected Result
Having another label that we can use or add the kubernetes.io/bootstraping labels to all the Openshift default cluster roles. Because we want to have a new Role and dynamically populate permissions comming from another operators.
aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: 'true' - matchExpressions: - { key: kubernetes.io/bootstrapping, operator: NotIn, values: [rbac-defaults] }
