Merge pull request #318 from zfrhv/add-cluster-roles

k8s-ci-robot · web-flow · commit 51574b343d3b · 2024-01-29T09:45:23.000-08:00
Add permissions on hnc CRDs to default clusterRoles: cluster-reader, view, edit, admin
diff --git a/config/rbac/aggregate_to_admin.yaml b/config/rbac/aggregate_to_admin.yaml
@@ -0,0 +1,16 @@
+# Automatically aggregated to clusterRoles: admin
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: admin
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+- apiGroups:
+  - hnc.x-k8s.io
+  resources:
+  - hierarchicalresourcequotas
+  - subnamespaceanchors
+  - hierarchyconfigurations
+  verbs:
+  - '*'
diff --git a/config/rbac/aggregate_to_edit.yaml b/config/rbac/aggregate_to_edit.yaml
@@ -0,0 +1,15 @@
+# Automatically aggregated to clusterRoles: edit -> admin
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: edit
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups:
+  - hnc.x-k8s.io
+  resources:
+  - hierarchicalresourcequotas
+  - subnamespaceanchors
+  verbs:
+  - '*'
diff --git a/config/rbac/aggregate_to_view.yaml b/config/rbac/aggregate_to_view.yaml
@@ -0,0 +1,16 @@
+# Automatically aggregated to clusterRoles: cluster-reader, view -> edit -> admin
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups:
+  - hnc.x-k8s.io
+  resources:
+  - '*'
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/config/rbac/hnc_admin.yaml b/config/rbac/hnc_admin.yaml
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -1,6 +1,8 @@
 resources:
 - role.yaml
 - role_binding.yaml
-- hnc_admin.yaml
+- aggregate_to_view.yaml
+- aggregate_to_edit.yaml
+- aggregate_to_admin.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
