openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
b8491a1264c2c3797dc4ffae4c335b40a56128f2
openshift-docs/snippets/example-pipelines-installer-clusterrole.yaml
Michael Ryan Peter b8491a1264 OSDOCS#12884[4.18][OLMv1]Create RBAC to manage and install ce
2025-02-18 17:17:16 +00:00

551 lines
7.9 KiB
YAML
Raw Blame History

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pipelines-installer-clusterrole
rules:
- apiGroups:
- olm.operatorframework.io
resources:
- clusterextensions/finalizers
verbs:
- update
# Scoped to the name of the ClusterExtension
resourceNames:
- pipes # the value from <metadata.name> from the extension's custom resource (CR)
# ClusterRoles and ClusterRoleBindings for the controllers of the extension
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- create
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- get
- update
- patch
- delete
resourceNames:
- "*"
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- create
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- get
- update
- patch
- delete
resourceNames:
- "*"
# Extension's custom resource definitions
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- update
- patch
- delete
resourceNames:
- manualapprovalgates.operator.tekton.dev
- openshiftpipelinesascodes.operator.tekton.dev
- tektonaddons.operator.tekton.dev
- tektonchains.operator.tekton.dev
- tektonconfigs.operator.tekton.dev
- tektonhubs.operator.tekton.dev
- tektoninstallersets.operator.tekton.dev
- tektonpipelines.operator.tekton.dev
- tektonresults.operator.tekton.dev
- tektontriggers.operator.tekton.dev
- apiGroups:
- ''
resources:
- nodes
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- pods/log
- limitranges
verbs:
- create
- list
- watch
- delete
- deletecollection
- patch
- get
- update
- apiGroups:
- extensions
- apps
resources:
- ingresses
- ingresses/status
verbs:
- create
- list
- watch
- delete
- patch
- get
- update
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
- deployments/finalizers
verbs:
- delete
- deletecollection
- create
- patch
- get
- list
- update
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
- roles
verbs:
- delete
- deletecollection
- create
- patch
- get
- list
- update
- watch
- bind
- escalate
- apiGroups:
- ''
resources:
- serviceaccounts
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- impersonate
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- rolebindings
verbs:
- get
- update
- delete
- patch
- create
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
- customresourcedefinitions/status
verbs:
- get
- create
- update
- delete
- list
- patch
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- build.knative.dev
resources:
- builds
- buildtemplates
- clusterbuildtemplates
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- extensions
resources:
- deployments
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- extensions
resources:
- deployments/finalizers
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- operator.tekton.dev
resources:
- '*'
- tektonaddons
verbs:
- delete
- deletecollection
- create
- patch
- get
- list
- update
- watch
- apiGroups:
- tekton.dev
- triggers.tekton.dev
- operator.tekton.dev
- pipelinesascode.tekton.dev
resources:
- '*'
verbs:
- add
- delete
- deletecollection
- create
- patch
- get
- list
- update
- watch
- apiGroups:
- dashboard.tekton.dev
resources:
- '*'
- tektonaddons
verbs:
- delete
- deletecollection
- create
- patch
- get
- list
- update
- watch
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- use
- get
- list
- create
- update
- delete
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- create
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- delete
- deletecollection
- create
- patch
- get
- list
- update
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- console.openshift.io
resources:
- consoleyamlsamples
- consoleclidownloads
- consolequickstarts
- consolelinks
verbs:
- delete
- deletecollection
- create
- patch
- get
- list
- update
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- delete
- create
- patch
- get
- list
- update
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- delete
- deletecollection
- create
- patch
- get
- list
- update
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- delete
- deletecollection
- create
- patch
- get
- list
- update
- watch
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- delete
- deletecollection
- create
- patch
- get
- list
- update
- watch
- apiGroups:
- ''
resources:
- namespaces/finalizers
verbs:
- update
- apiGroups:
- resolution.tekton.dev
resources:
- resolutionrequests
- resolutionrequests/status
verbs:
- get
- list
- watch
- create
- delete
- update
- patch
- apiGroups:
- console.openshift.io
resources:
- consoleplugins
verbs:
- get
- list
- watch
- create
- delete
- update
- patch
# Deployments specified in install.spec.deployments
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- list
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- update
- patch
- delete
# scoped to the extension controller deployment name
resourceNames:
- openshift-pipelines-operator
- tekton-operator-webhook
# Service accounts in the CSV
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- update
- patch
- delete
# scoped to the extension controller's deployment service account
resourceNames:
- openshift-pipelines-operator
# Services
- apiGroups:
- ""
resources:
- services
verbs:
- create
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- update
- patch
- delete
# scoped to the service name
resourceNames:
- openshift-pipelines-operator-monitor
- tekton-operator
- tekton-operator-webhook
# configmaps
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- update
- patch
- delete
# scoped to the configmap name
resourceNames:
- config-logging
- tekton-config-defaults
- tekton-config-observability
- tekton-operator-controller-config-leader-election
- tekton-operator-info
- tekton-operator-webhook-config-leader-election
- apiGroups:
- operator.tekton.dev
resources:
- tekton-config-read-role
- tekton-result-read-role
verbs:
- get
- watch
- list
---
View Git Blame Copy Permalink