diff options
Diffstat (limited to 'roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml')
-rw-r--r-- | roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml | 217 |
1 files changed, 217 insertions, 0 deletions
diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml new file mode 100644 index 000000000..f449fba2b --- /dev/null +++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml @@ -0,0 +1,217 @@ +apiVersion: v1 +kind: Template +metadata: + name: service-catalog-role-bindings +objects: + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRole + metadata: + name: servicecatalog-serviceclass-viewer + rules: + - apiGroups: + - servicecatalog.k8s.io + resources: + - clusterserviceclasses + - clusterserviceplans + verbs: + - list + - watch + - get + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding + metadata: + name: servicecatalog-serviceclass-viewer-binding + roleRef: + name: servicecatalog-serviceclass-viewer + groupNames: + - system:authenticated + +- kind: ServiceAccount + apiVersion: v1 + metadata: + name: service-catalog-controller + +- kind: ServiceAccount + apiVersion: v1 + metadata: + name: service-catalog-apiserver + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRole + metadata: + name: sar-creator + rules: + - apiGroups: + - "" + resources: + - subjectaccessreviews.authorization.k8s.io + verbs: + - create + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding + metadata: + name: service-catalog-sar-creator-binding + roleRef: + name: sar-creator + subjects: + - kind: ServiceAccount + name: service-catalog-apiserver + namespace: kube-service-catalog + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRole + metadata: + name: namespace-viewer + rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - list + - watch + - get + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding + metadata: + name: service-catalog-namespace-viewer-binding + roleRef: + name: namespace-viewer + subjects: + - kind: ServiceAccount + name: service-catalog-apiserver + namespace: kube-service-catalog + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding + metadata: + name: service-catalog-controller-namespace-viewer-binding + roleRef: + name: namespace-viewer + subjects: + - kind: ServiceAccount + name: service-catalog-controller + namespace: kube-service-catalog + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRole + metadata: + name: service-catalog-controller + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - update + - patch + - delete + - get + - list + - watch + - apiGroups: + - servicecatalog.k8s.io + resources: + - clusterservicebrokers/status + - serviceinstances/status + - servicebindings/status + - servicebindings/finalizers + - serviceinstances/reference + verbs: + - update + - apiGroups: + - servicecatalog.k8s.io + resources: + - clusterservicebrokers + - serviceinstances + - servicebindings + verbs: + - list + - get + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - patch + - create + - apiGroups: + - servicecatalog.k8s.io + resources: + - clusterserviceclasses + - clusterserviceplans + verbs: + - create + - delete + - update + - patch + - get + - list + - watch + - apiGroups: + - settings.k8s.io + resources: + - podpresets + verbs: + - create + - update + - delete + - get + - list + - watch + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding + metadata: + name: service-catalog-controller-binding + roleRef: + name: service-catalog-controller + subjects: + - kind: ServiceAccount + name: service-catalog-controller + namespace: kube-service-catalog + +- apiVersion: authorization.openshift.io/v1 + kind: Role + metadata: + name: endpoint-accessor + rules: + - apiGroups: + - "" + resources: + - endpoints + verbs: + - list + - watch + - get + - create + - update + +- apiVersion: authorization.openshift.io/v1 + kind: RoleBinding + metadata: + name: endpointer-accessor-binding + roleRef: + name: endpoint-accessor + namespace: kube-service-catalog + subjects: + - kind: ServiceAccount + namespace: kube-service-catalog + name: service-catalog-controller + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding + metadata: + name: system:auth-delegator-binding + roleRef: + name: system:auth-delegator + subjects: + - kind: ServiceAccount + name: service-catalog-apiserver + namespace: kube-service-catalog |