apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: turbo-cluster-admin rules: - apiGroups: - "" - batch resources: - pods - jobs verbs: - '*' - apiGroups: - "" - apps - apps.openshift.io - extensions - turbonomic.com # Need it for backward compatibility with ORM v1 - devops.turbonomic.io # API groups for ORM owners # It's required when using ORM with ClusterRole 'turbo-cluster-admin'. # It's recommended to use ORM with ClusterRole 'cluster-admin'. # - redis.redis.opstreelabs.in # - charts.helm.k8s.io resources: - deployments - replicasets - replicationcontrollers - statefulsets - daemonsets - deploymentconfigs - resourcequotas - operatorresourcemappings - operatorresourcemappings/status # Resources for ORM owners # It's required when using ORM with ClusterRole 'turbo-cluster-admin'. # It's recommended to use ORM with ClusterRole 'cluster-admin'. # - redis # - xls verbs: - get - list - watch - update - patch - apiGroups: - "" - apps - batch - extensions - policy - app.k8s.io - argoproj.io - apiextensions.k8s.io - config.openshift.io resources: - nodes - services - endpoints - namespaces - limitranges - persistentvolumes - persistentvolumeclaims - poddisruptionbudget - cronjobs - applications - customresourcedefinitions - clusterversions verbs: - get - list - watch - apiGroups: - machine.openshift.io resources: - machines - machinesets verbs: - get - list - update - apiGroups: - "" resources: - nodes/spec - nodes/stats - nodes/metrics - nodes/proxy - pods/log verbs: - get - apiGroups: - policy.turbonomic.io resources: - slohorizontalscales - policybindings verbs: - get - list - watch # Need it for SCC impersonation - apiGroups: - security.openshift.io resources: - securitycontextconstraints verbs: - list - use # Need it for SCC impersonation - apiGroups: - "" resources: - serviceaccounts verbs: - create # It should be commented out if the SCC resources created externally. - delete # It should be commented out if the SCC resources created externally. - impersonate # Need it for SCC impersonation # It should be commented out if the SCC resources created externally. - apiGroups: - rbac.authorization.k8s.io resources: - roles - rolebindings - clusterroles - clusterrolebindings verbs: - create - delete - update - apiGroups: - "" resources: - secrets verbs: - get - watch