Add deletecollection permission into role (#91)

horis233 · web-flow · commit 7f056e639ca5 · 2021-05-04T02:53:12.000+08:00
* Add deletecollection permission into role

* Add deletecollection into clusterrole
diff --git a/bundle/manifests/ibm-namespace-scope-operator.clusterserviceversion.yaml b/bundle/manifests/ibm-namespace-scope-operator.clusterserviceversion.yaml
@@ -61,6 +61,7 @@ spec:
           - patch
           - update
           - watch
+          - deletecollection
         - apiGroups:
           - rbac.authorization.k8s.io
           resources:
diff --git a/controllers/namespacescope_controller.go b/controllers/namespacescope_controller.go
@@ -369,7 +369,7 @@ func (r *NamespaceScopeReconciler) createRoleForNSS(labels map[string]string, fr
 		},
 		Rules: []rbacv1.PolicyRule{
 			{
-				Verbs:     []string{"create", "delete", "get", "list", "patch", "update", "watch"},
+				Verbs:     []string{"create", "delete", "get", "list", "patch", "update", "watch", "deletecollection"},
 				APIGroups: []string{"*"},
 				Resources: []string{"*"},
 			},
@@ -797,7 +797,7 @@ func (r *NamespaceScopeReconciler) checkGetNSAuth() bool {
 
 // Check if operator has namespace admin permission
 func (r *NamespaceScopeReconciler) checkNamespaceAdminAuth(namespace string) bool {
-	verbs := []string{"create", "delete", "get", "list", "patch", "update", "watch"}
+	verbs := []string{"create", "delete", "get", "list", "patch", "update", "watch", "deletecollection"}
 	for _, verb := range verbs {
 		sar := &authorizationv1.SelfSubjectAccessReview{
 			Spec: authorizationv1.SelfSubjectAccessReviewSpec{
