--- # NOTE: Changes to this file must be reflected in the OperatorHub.io CSV file apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kiali-operator labels: app: kiali-operator version: ${OPERATOR_VERSION_LABEL} rules: - apiGroups: [""] resources: - configmaps - endpoints - events - persistentvolumeclaims - pods - serviceaccounts - services verbs: - create - delete - get - list - patch - update - watch - apiGroups: [""] resources: - namespaces verbs: - get - list - patch - apiGroups: [""] resources: - secrets verbs: - create - list - watch - apiGroups: [""] resourceNames: - kiali-signing-key resources: - secrets verbs: - delete - get - list - patch - update - watch - apiGroups: ["apps"] resources: - deployments - replicasets verbs: - create - delete - get - list - patch - update - watch - apiGroups: ["monitoring.coreos.com"] resources: - servicemonitors verbs: - create - get - apiGroups: ["apps"] resourceNames: - kiali-operator resources: - deployments/finalizers verbs: - update - apiGroups: ["kiali.io"] resources: - '*' verbs: - create - delete - get - list - patch - update - watch - apiGroups: ["rbac.authorization.k8s.io"] resources: ${OPERATOR_ROLE_CLUSTERROLEBINDINGS} ${OPERATOR_ROLE_CLUSTERROLES} - rolebindings - roles verbs: - create - delete - get - list - patch - update - watch - apiGroups: ["apiextensions.k8s.io"] resources: - customresourcedefinitions verbs: - get - list - watch - apiGroups: ["extensions"] resources: - ingresses verbs: - create - delete - get - list - patch - update - watch - apiGroups: ["route.openshift.io"] resources: - routes verbs: - create - delete - get - list - patch - update - watch - apiGroups: ["oauth.openshift.io"] resources: - oauthclients verbs: - create - delete - get - list - patch - update - watch - apiGroups: ["config.openshift.io"] resources: - clusteroperators verbs: - list - watch - apiGroups: ["config.openshift.io"] resourceNames: - kube-apiserver resources: - clusteroperators verbs: - get - apiGroups: ["console.openshift.io"] resources: - consolelinks verbs: - create - delete - get - list - patch - update - watch - apiGroups: ["monitoring.kiali.io"] resources: - monitoringdashboards verbs: - create - delete - get - list - patch - update - watch # The permissions below are for Kiali itself; operator needs these so it can escalate when creating Kiali's roles - apiGroups: [""] resources: - configmaps - endpoints - namespaces - nodes - pods - pods/log - replicationcontrollers - services verbs: - get - list - watch - apiGroups: ["extensions", "apps"] resources: - deployments - replicasets - statefulsets verbs: - get - list - watch - apiGroups: ["autoscaling"] resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: ["batch"] resources: - cronjobs - jobs verbs: - get - list - watch - apiGroups: - config.istio.io - networking.istio.io - authentication.istio.io - rbac.istio.io - security.istio.io resources: ["*"] verbs: ${OPERATOR_ROLE_CREATE} ${OPERATOR_ROLE_DELETE} - get - list ${OPERATOR_ROLE_PATCH} - watch - apiGroups: ["authentication.maistra.io"] resources: - servicemeshpolicies verbs: ${OPERATOR_ROLE_CREATE} ${OPERATOR_ROLE_DELETE} - get - list ${OPERATOR_ROLE_PATCH} - watch - apiGroups: ["rbac.maistra.io"] resources: - servicemeshrbacconfigs verbs: ${OPERATOR_ROLE_CREATE} ${OPERATOR_ROLE_DELETE} - get - list ${OPERATOR_ROLE_PATCH} - watch - apiGroups: ["apps.openshift.io"] resources: - deploymentconfigs verbs: - get - list - watch - apiGroups: ["project.openshift.io"] resources: - projects verbs: - get - apiGroups: ["route.openshift.io"] resources: - routes verbs: - get - apiGroups: ["monitoring.kiali.io"] resources: - monitoringdashboards verbs: - get - list - apiGroups: ["iter8.tools"] resources: - experiments verbs: ${OPERATOR_ROLE_CREATE} ${OPERATOR_ROLE_DELETE} - get - list ${OPERATOR_ROLE_PATCH} - watch