Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default ClusterRoles should add a label #29206

Open
misanche opened this issue Oct 18, 2024 · 1 comment
Open

Default ClusterRoles should add a label #29206

misanche opened this issue Oct 18, 2024 · 1 comment
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@misanche
Copy link

misanche commented Oct 18, 2024
edited
Loading

[provide a description of the issue]
Currently we want to create a cluster-admin-limited role with less privileges, for example we don't want to give them secrets access.

If we use aggregationRules we can't use them because there are several default roles that they don't have the kubernetes.io/bootstraping label or other label to filter.

One of those default roles are:

  • registry-admin
  • system:openshift:aggregate-to-admin
    ...
Version

Server Version: 4.14.33

Steps To Reproduce
  1. Create the following role:
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin-limited
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: 'true'
rules:
  - verbs:
      - '*'
    apiGroups:
      - addons.managed.openshift.io
    resources:
      - addoninstances
  - verbs:
      - '*'
    apiGroups:
      - addons.managed.openshift.io
    resources:
      - addonoperators
  - verbs:
      - '*'
    apiGroups:
      - addons.managed.openshift.io
    resources:
      - addons
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - operators.coreos.com
    resources:
      - subscriptions
  - verbs:
      - delete
    apiGroups:
      - operators.coreos.com
    resources:
      - clusterserviceversions
      - catalogsources
      - installplans
      - subscriptions
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - operators.coreos.com
    resources:
      - clusterserviceversions
      - catalogsources
      - installplans
      - subscriptions
      - operatorgroups
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - packages.operators.coreos.com
    resources:
      - packagemanifests
      - packagemanifests/icon
  - verbs:
      - '*'
    apiGroups:
      - monitoring.rhobs
    resources:
      - alertmanagerconfigs
  - verbs:
      - '*'
    apiGroups:
      - monitoring.rhobs
    resources:
      - alertmanagers
  - verbs:
      - '*'
    apiGroups:
      - monitoring.openshift.io
    resources:
      - clusterurlmonitors
  - verbs:
      - '*'
    apiGroups:
      - costmanagement-metrics-cfg.openshift.io
    resources:
      - costmanagementmetricsconfigs
  - verbs:
      - '*'
    apiGroups:
      - managed.openshift.io
    resources:
      - customdomains
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - addons.managed.openshift.io
    resources:
      - addoninstances
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - addons.managed.openshift.io
    resources:
      - addonoperators
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - addons.managed.openshift.io
    resources:
      - addons
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - monitoring.rhobs
    resources:
      - alertmanagerconfigs
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - monitoring.rhobs
    resources:
      - alertmanagers
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - monitoring.openshift.io
    resources:
      - clusterurlmonitors
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - costmanagement-metrics-cfg.openshift.io
    resources:
      - costmanagementmetricsconfigs
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - managed.openshift.io
    resources:
      - customdomains
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - pipelines.openshift.io
    resources:
      - gitopsservices
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - ocmagent.managed.openshift.io
    resources:
      - managedfleetnotificationrecords
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - ocmagent.managed.openshift.io
    resources:
      - managedfleetnotifications
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - ocmagent.managed.openshift.io
    resources:
      - managednotifications
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - monitoring.rhobs
    resources:
      - monitoringstacks
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - managed.openshift.io
    resources:
      - mustgathers
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - ocmagent.managed.openshift.io
    resources:
      - ocmagents
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - packages.operators.coreos.com
    resources:
      - packagemanifests
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - monitoring.rhobs
    resources:
      - podmonitors
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - monitoring.rhobs
    resources:
      - probes
  - verbs:
      - get
      - list
      - update
      - create
      - watch
      - patch
      - delete
    apiGroups:
      - helm.openshift.io
    resources:
      - projecthelmchartrepositories
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - monitoring.rhobs
    resources:
      - prometheusagents
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - monitoring.rhobs
    resources:
      - prometheuses
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - monitoring.rhobs
    resources:
      - prometheusrules
  - verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
    resources:
      - serviceaccounts
  - verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
      - image.openshift.io
    resources:
      - imagestreamimages
      - imagestreammappings
      - imagestreams
      - imagestreams/secrets
      - imagestreamtags
      - imagetags
  - verbs:
      - create
    apiGroups:
      - ''
      - image.openshift.io
    resources:
      - imagestreamimports
  - verbs:
      - get
      - update
    apiGroups:
      - ''
      - image.openshift.io
    resources:
      - imagestreams/layers
  - verbs:
      - get
    apiGroups:
      - ''
    resources:
      - namespaces
  - verbs:
      - get
    apiGroups:
      - ''
      - project.openshift.io
    resources:
      - projects
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - monitoring.openshift.io
    resources:
      - routemonitors
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - monitoring.rhobs
    resources:
      - scrapeconfigs
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - monitoring.rhobs
    resources:
      - servicemonitors
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - splunkforwarder.managed.openshift.io
    resources:
      - splunkforwarders
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - managed.openshift.io
    resources:
      - subjectpermissions
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
    resources:
      - pods/attach
      - pods/exec
      - pods/portforward
      - pods/proxy
      - services/proxy
  - verbs:
      - list
    apiGroups:
      - ''
    resources:
      - secrets
  - verbs:
      - impersonate
    apiGroups:
      - ''
    resources:
      - serviceaccounts
  - verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
    apiGroups:
      - ''
    resources:
      - pods
      - pods/attach
      - pods/exec
      - pods/portforward
      - pods/proxy
  - verbs:
      - create
    apiGroups:
      - ''
    resources:
      - pods/eviction
  - verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
    apiGroups:
      - ''
    resources:
      - configmaps
      - endpoints
      - events
      - persistentvolumeclaims
      - replicationcontrollers
      - replicationcontrollers/scale
      - serviceaccounts
      - services
      - services/proxy
  - verbs:
      - create
    apiGroups:
      - ''
    resources:
      - serviceaccounts/token
  - verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
    apiGroups:
      - apps
    resources:
      - daemonsets
      - deployments
      - deployments/rollback
      - deployments/scale
      - replicasets
      - replicasets/scale
      - statefulsets
      - statefulsets/scale
  - verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
    apiGroups:
      - autoscaling
    resources:
      - horizontalpodautoscalers
  - verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
    apiGroups:
      - batch
    resources:
      - cronjobs
      - jobs
  - verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
    apiGroups:
      - extensions
    resources:
      - daemonsets
      - deployments
      - deployments/rollback
      - deployments/scale
      - ingresses
      - networkpolicies
      - replicasets
      - replicasets/scale
      - replicationcontrollers/scale
  - verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
    apiGroups:
      - policy
    resources:
      - poddisruptionbudgets
  - verbs:
      - create
      - delete
      - deletecollection
      - patch
      - update
    apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
      - networkpolicies
  - verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - coordination.k8s.io
    resources:
      - leases
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - metrics.k8s.io
    resources:
      - pods
      - nodes
  - verbs:
      - create
    apiGroups:
      - ''
      - image.openshift.io
    resources:
      - imagestreams
  - verbs:
      - update
    apiGroups:
      - ''
      - build.openshift.io
    resources:
      - builds/details
  - verbs:
      - get
    apiGroups:
      - ''
      - build.openshift.io
    resources:
      - builds
  - verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
      - deletecollection
    apiGroups:
      - snapshot.storage.k8s.io
    resources:
      - volumesnapshots
  - verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
      - build.openshift.io
    resources:
      - buildconfigs
      - buildconfigs/webhooks
      - builds
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - build.openshift.io
    resources:
      - builds/log
  - verbs:
      - create
    apiGroups:
      - ''
      - build.openshift.io
    resources:
      - buildconfigs/instantiate
      - buildconfigs/instantiatebinary
      - builds/clone
  - verbs:
      - edit
      - view
    apiGroups:
      - build.openshift.io
    resources:
      - jenkins
  - verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
      - apps.openshift.io
    resources:
      - deploymentconfigs
      - deploymentconfigs/scale
  - verbs:
      - create
    apiGroups:
      - ''
      - apps.openshift.io
    resources:
      - deploymentconfigrollbacks
      - deploymentconfigs/instantiate
      - deploymentconfigs/rollback
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - apps.openshift.io
    resources:
      - deploymentconfigs/log
      - deploymentconfigs/status
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - image.openshift.io
    resources:
      - imagestreams/status
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - quota.openshift.io
    resources:
      - appliedclusterresourcequotas
  - verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
      - route.openshift.io
    resources:
      - routes
  - verbs:
      - create
    apiGroups:
      - ''
      - route.openshift.io
    resources:
      - routes/custom-host
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - route.openshift.io
    resources:
      - routes/status
  - verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
      - template.openshift.io
    resources:
      - processedtemplates
      - templateconfigs
      - templateinstances
      - templates
  - verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - networking.k8s.io
    resources:
      - networkpolicies
  - verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
      - build.openshift.io
    resources:
      - buildlogs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
    resources:
      - resourcequotausages
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - monitoring.rhobs
    resources:
      - thanosqueriers
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - monitoring.rhobs
    resources:
      - thanosrulers
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - observability.openshift.io
    resources:
      - uiplugins
  - verbs:
      - create
      - update
      - patch
      - delete
    apiGroups:
      - upgrade.managed.openshift.io
    resources:
      - upgradeconfigs
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - addoninstances.addons.managed.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - addons.managed.openshift.io
    resources:
      - addoninstances
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - addonoperators.addons.managed.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - addons.managed.openshift.io
    resources:
      - addonoperators
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - addons.addons.managed.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - addons.managed.openshift.io
    resources:
      - addons
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - alertmanagerconfigs.monitoring.rhobs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - monitoring.rhobs
    resources:
      - alertmanagerconfigs
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - alertmanagers.monitoring.rhobs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - monitoring.rhobs
    resources:
      - alertmanagers
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - clusterurlmonitors.monitoring.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - monitoring.openshift.io
    resources:
      - clusterurlmonitors
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - costmanagementmetricsconfigs.costmanagement-metrics-cfg.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - costmanagement-metrics-cfg.openshift.io
    resources:
      - costmanagementmetricsconfigs
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - customdomains.managed.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - managed.openshift.io
    resources:
      - customdomains
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - gitopsservices.pipelines.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - pipelines.openshift.io
    resources:
      - gitopsservices
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ocmagent.managed.openshift.io
    resources:
      - managedfleetnotificationrecords
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - managedfleetnotifications.ocmagent.managed.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ocmagent.managed.openshift.io
    resources:
      - managedfleetnotifications
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - managednotifications.ocmagent.managed.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ocmagent.managed.openshift.io
    resources:
      - managednotifications
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - monitoringstacks.monitoring.rhobs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - monitoring.rhobs
    resources:
      - monitoringstacks
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - mustgathers.managed.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - managed.openshift.io
    resources:
      - mustgathers
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - ocmagents.ocmagent.managed.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ocmagent.managed.openshift.io
    resources:
      - ocmagents
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - packages.operators.coreos.com
    resources:
      - packagemanifests
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - podmonitors.monitoring.rhobs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - monitoring.rhobs
    resources:
      - podmonitors
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - probes.monitoring.rhobs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - monitoring.rhobs
    resources:
      - probes
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - prometheusagents.monitoring.rhobs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - monitoring.rhobs
    resources:
      - prometheusagents
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - prometheuses.monitoring.rhobs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - monitoring.rhobs
    resources:
      - prometheuses
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - prometheusrules.monitoring.rhobs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - monitoring.rhobs
    resources:
      - prometheusrules
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - image.openshift.io
    resources:
      - imagestreamimages
      - imagestreammappings
      - imagestreams
      - imagestreamtags
      - imagetags
  - verbs:
      - get
    apiGroups:
      - ''
      - image.openshift.io
    resources:
      - imagestreams/layers
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - routemonitors.monitoring.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - monitoring.openshift.io
    resources:
      - routemonitors
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - scrapeconfigs.monitoring.rhobs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - monitoring.rhobs
    resources:
      - scrapeconfigs
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - servicemonitors.monitoring.rhobs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - monitoring.rhobs
    resources:
      - servicemonitors
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - splunkforwarders.splunkforwarder.managed.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - splunkforwarder.managed.openshift.io
    resources:
      - splunkforwarders
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - subjectpermissions.managed.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - managed.openshift.io
    resources:
      - subjectpermissions
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
    resources:
      - configmaps
      - endpoints
      - persistentvolumeclaims
      - persistentvolumeclaims/status
      - pods
      - replicationcontrollers
      - replicationcontrollers/scale
      - serviceaccounts
      - services
      - services/status
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
    resources:
      - bindings
      - events
      - limitranges
      - namespaces/status
      - pods/log
      - pods/status
      - replicationcontrollers/status
      - resourcequotas
      - resourcequotas/status
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
    resources:
      - namespaces
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - discovery.k8s.io
    resources:
      - endpointslices
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - apps
    resources:
      - controllerrevisions
      - daemonsets
      - daemonsets/status
      - deployments
      - deployments/scale
      - deployments/status
      - replicasets
      - replicasets/scale
      - replicasets/status
      - statefulsets
      - statefulsets/scale
      - statefulsets/status
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - autoscaling
    resources:
      - horizontalpodautoscalers
      - horizontalpodautoscalers/status
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - batch
    resources:
      - cronjobs
      - cronjobs/status
      - jobs
      - jobs/status
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - extensions
    resources:
      - daemonsets
      - daemonsets/status
      - deployments
      - deployments/scale
      - deployments/status
      - ingresses
      - ingresses/status
      - networkpolicies
      - replicasets
      - replicasets/scale
      - replicasets/status
      - replicationcontrollers/scale
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - policy
    resources:
      - poddisruptionbudgets
      - poddisruptionbudgets/status
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
      - ingresses/status
      - networkpolicies
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - snapshot.storage.k8s.io
    resources:
      - volumesnapshots
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - build.openshift.io
    resources:
      - buildconfigs
      - buildconfigs/webhooks
      - builds
  - verbs:
      - view
    apiGroups:
      - build.openshift.io
    resources:
      - jenkins
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - apps.openshift.io
    resources:
      - deploymentconfigs
      - deploymentconfigs/scale
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - route.openshift.io
    resources:
      - routes
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - template.openshift.io
    resources:
      - processedtemplates
      - templateconfigs
      - templateinstances
      - templates
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - build.openshift.io
    resources:
      - buildlogs
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - thanosqueriers.monitoring.rhobs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - monitoring.rhobs
    resources:
      - thanosqueriers
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - thanosrulers.monitoring.rhobs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - monitoring.rhobs
    resources:
      - thanosrulers
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - uiplugins.observability.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - observability.openshift.io
    resources:
      - uiplugins
  - verbs:
      - get
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    resourceNames:
      - upgradeconfigs.upgrade.managed.openshift.io
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - upgrade.managed.openshift.io
    resources:
      - upgradeconfigs
  - verbs:
      - '*'
    apiGroups:
      - pipelines.openshift.io
    resources:
      - gitopsservices
  - verbs:
      - '*'
    apiGroups:
      - ocmagent.managed.openshift.io
    resources:
      - managedfleetnotificationrecords
  - verbs:
      - '*'
    apiGroups:
      - ocmagent.managed.openshift.io
    resources:
      - managedfleetnotifications
  - verbs:
      - '*'
    apiGroups:
      - ocmagent.managed.openshift.io
    resources:
      - managednotifications
  - verbs:
      - '*'
    apiGroups:
      - monitoring.rhobs
    resources:
      - monitoringstacks
  - verbs:
      - '*'
    apiGroups:
      - managed.openshift.io
    resources:
      - mustgathers
  - verbs:
      - watch
      - list
      - get
    apiGroups:
      - k8s.cni.cncf.io
    resources:
      - network-attachment-definitions
  - verbs:
      - '*'
    apiGroups:
      - ocmagent.managed.openshift.io
    resources:
      - ocmagents
  - verbs:
      - '*'
    apiGroups:
      - packages.operators.coreos.com
    resources:
      - packagemanifests
  - verbs:
      - '*'
    apiGroups:
      - monitoring.rhobs
    resources:
      - podmonitors
  - verbs:
      - '*'
    apiGroups:
      - monitoring.rhobs
    resources:
      - probes
  - verbs:
      - '*'
    apiGroups:
      - monitoring.rhobs
    resources:
      - prometheusagents
  - verbs:
      - '*'
    apiGroups:
      - monitoring.rhobs
    resources:
      - prometheuses
  - verbs:
      - '*'
    apiGroups:
      - monitoring.rhobs
    resources:
      - prometheusrules
  - verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
      - authorization.openshift.io
    resources:
      - rolebindings
      - roles
  - verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - rolebindings
      - roles
  - verbs:
      - create
    apiGroups:
      - ''
      - authorization.openshift.io
    resources:
      - localresourceaccessreviews
      - localsubjectaccessreviews
      - subjectrulesreviews
  - verbs:
      - create
    apiGroups:
      - authorization.k8s.io
    resources:
      - localsubjectaccessreviews
  - verbs:
      - delete
      - get
    apiGroups:
      - ''
      - project.openshift.io
    resources:
      - projects
  - verbs:
      - create
    apiGroups:
      - ''
      - authorization.openshift.io
    resources:
      - resourceaccessreviews
      - subjectaccessreviews
  - verbs:
      - '*'
    apiGroups:
      - monitoring.openshift.io
    resources:
      - routemonitors
  - verbs:
      - '*'
    apiGroups:
      - monitoring.rhobs
    resources:
      - scrapeconfigs
  - verbs:
      - '*'
    apiGroups:
      - monitoring.rhobs
    resources:
      - servicemonitors
  - verbs:
      - '*'
    apiGroups:
      - splunkforwarder.managed.openshift.io
    resources:
      - splunkforwarders
  - verbs:
      - '*'
    apiGroups:
      - managed.openshift.io
    resources:
      - subjectpermissions
  - verbs:
      - create
    apiGroups:
      - ''
      - security.openshift.io
    resources:
      - podsecuritypolicyreviews
      - podsecuritypolicyselfsubjectreviews
      - podsecuritypolicysubjectreviews
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
      - authorization.openshift.io
    resources:
      - rolebindingrestrictions
  - verbs:
      - admin
      - edit
      - view
    apiGroups:
      - build.openshift.io
    resources:
      - jenkins
  - verbs:
      - delete
      - get
      - patch
      - update
    apiGroups:
      - ''
      - project.openshift.io
    resources:
      - projects
  - verbs:
      - update
    apiGroups:
      - ''
      - route.openshift.io
    resources:
      - routes/status
  - verbs:
      - '*'
    apiGroups:
      - monitoring.rhobs
    resources:
      - thanosqueriers
  - verbs:
      - '*'
    apiGroups:
      - monitoring.rhobs
    resources:
      - thanosrulers
  - verbs:
      - '*'
    apiGroups:
      - observability.openshift.io
    resources:
      - uiplugins
  - verbs:
      - '*'
    apiGroups:
      - upgrade.managed.openshift.io
    resources:
      - upgradeconfigs
aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        rbac.authorization.k8s.io/aggregate-to-admin: 'true'
    - matchExpressions:
      - { key: kubernetes.io/bootstrapping, operator: NotIn, values: [rbac-defaults] }
  1. See how the new role only has secret list permissions
  2. When aggregates the permissions adds the secrets, delete, create,... from regsitry-admin role.
Current Result
Expected Result

Having another label that we can use or add the kubernetes.io/bootstraping labels to all the Openshift default cluster roles. Because we want to have a new Role and dynamically populate permissions comming from another operators.

aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-admin: 'true'
- matchExpressions:
- { key: kubernetes.io/bootstrapping, operator: NotIn, values: [rbac-defaults] }

Additional Information
@openshift-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@openshift-bot @misanche