diff --git a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml index f26d1f6707..1d85abfb0a 100644 --- a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml +++ b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml @@ -86,7 +86,7 @@ metadata: categories: Developer Tools certified: "false" containerImage: quay.io/eclipse/che-operator:next - createdAt: "2025-09-17T12:17:05Z" + createdAt: "2025-10-14T09:17:53Z" description: A Kube-native development solution that delivers portable and collaborative developer workspaces. features.operators.openshift.io/cnf: "false" @@ -108,7 +108,7 @@ metadata: operatorframework.io/arch.amd64: supported operatorframework.io/arch.arm64: supported operatorframework.io/os.linux: supported - name: eclipse-che.v7.109.0-941.next + name: eclipse-che.v7.111.0-947.next namespace: placeholder spec: apiservicedefinitions: {} @@ -1141,7 +1141,7 @@ spec: name: gateway-authorization-sidecar-k8s - image: quay.io/che-incubator/header-rewrite-proxy:latest name: gateway-header-sidecar - version: 7.109.0-941.next + version: 7.111.0-947.next webhookdefinitions: - admissionReviewVersions: - v1 diff --git a/bundle/next/eclipse-che/manifests/eclipse-che-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/next/eclipse-che/manifests/eclipse-che-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..9977365909 --- /dev/null +++ b/bundle/next/eclipse-che/manifests/eclipse-che-edit_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,254 @@ +# +# Copyright (c) 2019-2024 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: che + app.kubernetes.io/instance: che + app.kubernetes.io/name: che + app.kubernetes.io/part-of: che.eclipse.org + name: eclipse-che-edit +rules: +- apiGroups: + - org.eclipse.che + resources: + - checlusters + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - devworkspaceoperatorconfigs + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - che.eclipse.org + resources: + - kubernetesimagepullers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests + - packagemanifests/icon + verbs: + - get + - list + - watch +- apiGroups: + - operator.openshift.io + resources: + - cloudcredentials + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - infrastructures + - authentications + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get +- apiGroups: + - "" + resources: + - configmaps + - persistentvolumeclaims + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - template.openshift.io + resources: + - templates + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch diff --git a/bundle/next/eclipse-che/manifests/eclipse-che-view_rbac.authorization.k8s.io_v1_clusterrole.yaml b/bundle/next/eclipse-che/manifests/eclipse-che-view_rbac.authorization.k8s.io_v1_clusterrole.yaml new file mode 100644 index 0000000000..625ffc1862 --- /dev/null +++ b/bundle/next/eclipse-che/manifests/eclipse-che-view_rbac.authorization.k8s.io_v1_clusterrole.yaml @@ -0,0 +1,186 @@ +# +# Copyright (c) 2019-2024 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: che + app.kubernetes.io/instance: che + app.kubernetes.io/name: che + app.kubernetes.io/part-of: che.eclipse.org + name: eclipse-che-view +rules: +- apiGroups: + - org.eclipse.che + resources: + - checlusters + verbs: + - get + - list + - watch +- apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + verbs: + - get + - list + - watch +- apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - devworkspaceoperatorconfigs + verbs: + - get + - list + - watch +- apiGroups: + - che.eclipse.org + resources: + - kubernetesimagepullers + verbs: + - get + - list + - watch +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - watch +- apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests + - packagemanifests/icon + verbs: + - get + - list + - watch +- apiGroups: + - operator.openshift.io + resources: + - cloudcredentials + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - infrastructures + - authentications + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +- apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - persistentvolumeclaims + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - template.openshift.io + resources: + - templates + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch diff --git a/config/rbac/eclipse-che-edit-cluster_role.yaml b/config/rbac/eclipse-che-edit-cluster_role.yaml new file mode 100644 index 0000000000..2ad374a503 --- /dev/null +++ b/config/rbac/eclipse-che-edit-cluster_role.yaml @@ -0,0 +1,259 @@ +# +# Copyright (c) 2019-2025 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: eclipse-che-edit + labels: + app.kubernetes.io/name: che + app.kubernetes.io/instance: che + app.kubernetes.io/component: che + app.kubernetes.io/part-of: che.eclipse.org +rules: + # CheCluster + - verbs: + - get + - list + - watch + - create + - update + - patch + - delete + apiGroups: + - org.eclipse.che + resources: + - checlusters + # DevWorkspace + - verbs: + - get + - list + - watch + - create + - update + - patch + - delete + apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + - verbs: + - get + - list + - watch + - create + - update + - patch + - delete + apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - devworkspaceoperatorconfigs + # Kubernetes Image Puller + - apiGroups: + - che.eclipse.org + resources: + - kubernetesimagepullers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + # OLM + - verbs: + - get + - list + - watch + - create + - update + - patch + - delete + apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + - subscriptions + - verbs: + - get + - list + - watch + apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests + - packagemanifests/icon + # Viewing operators in OperatorHub + - verbs: + - get + - list + - watch + apiGroups: + - operator.openshift.io + resources: + - cloudcredentials + - verbs: + - get + - list + - watch + apiGroups: + - config.openshift.io + resources: + - infrastructures + - authentications + # Others + - verbs: + - get + - list + - watch + - create + - update + - patch + - delete + apiGroups: + - '' + resources: + - namespaces + - verbs: + - get + - list + - watch + - create + - update + - patch + - delete + apiGroups: + - project.openshift.io + resources: + - projects + - apiGroups: + - '' + resources: + - pods/log + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - pods/exec + verbs: + - create + - get + - apiGroups: + - '' + resources: + - configmaps + - persistentvolumeclaims + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - template.openshift.io + resources: + - templates + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - '' + resources: + - serviceaccounts + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - '' + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - '' + resources: + - pods + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch diff --git a/config/rbac/eclipse-che-view-cluster_role.yaml b/config/rbac/eclipse-che-view-cluster_role.yaml new file mode 100644 index 0000000000..1fad52ae86 --- /dev/null +++ b/config/rbac/eclipse-che-view-cluster_role.yaml @@ -0,0 +1,191 @@ +# +# Copyright (c) 2019-2025 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: eclipse-che-view + labels: + app.kubernetes.io/name: che + app.kubernetes.io/instance: che + app.kubernetes.io/component: che + app.kubernetes.io/part-of: che.eclipse.org +rules: + # CheCluster + - verbs: + - get + - list + - watch + apiGroups: + - org.eclipse.che + resources: + - checlusters + # DevWorkspace + - verbs: + - get + - list + - watch + apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + - verbs: + - get + - list + - watch + apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - devworkspaceoperatorconfigs + # Kubernetes Image Puller + - apiGroups: + - che.eclipse.org + resources: + - kubernetesimagepullers + verbs: + - get + - list + - watch + # OLM + - verbs: + - get + - list + - watch + apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + - subscriptions + - verbs: + - get + - list + - watch + apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests + - packagemanifests/icon + # Viewing operators in OperatorHub + - verbs: + - get + - list + - watch + apiGroups: + - operator.openshift.io + resources: + - cloudcredentials + - verbs: + - get + - list + - watch + apiGroups: + - config.openshift.io + resources: + - infrastructures + - authentications + # Others + - verbs: + - get + - list + apiGroups: + - '' + resources: + - namespaces + - verbs: + - get + - list + apiGroups: + - project.openshift.io + resources: + - projects + - apiGroups: + - '' + resources: + - pods/log + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - configmaps + - persistentvolumeclaims + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - template.openshift.io + resources: + - templates + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - serviceaccounts + - services + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index d27ba9c763..867c5a96ce 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -21,3 +21,5 @@ resources: - role_binding.yaml - cluster_role.yaml - cluster_rolebinding.yaml +- eclipse-che-edit-cluster_role.yaml +- eclipse-che-view-cluster_role.yaml \ No newline at end of file diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml index d4f5870ce0..cf1d23c29c 100644 --- a/deploy/deployment/kubernetes/combined.yaml +++ b/deploy/deployment/kubernetes/combined.yaml @@ -9769,6 +9769,422 @@ rules: - create --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: che + app.kubernetes.io/instance: che + app.kubernetes.io/name: che + app.kubernetes.io/part-of: che.eclipse.org + name: eclipse-che-edit +rules: +- apiGroups: + - org.eclipse.che + resources: + - checlusters + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - devworkspaceoperatorconfigs + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - che.eclipse.org + resources: + - kubernetesimagepullers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests + - packagemanifests/icon + verbs: + - get + - list + - watch +- apiGroups: + - operator.openshift.io + resources: + - cloudcredentials + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - infrastructures + - authentications + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get +- apiGroups: + - "" + resources: + - configmaps + - persistentvolumeclaims + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - template.openshift.io + resources: + - templates + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: che + app.kubernetes.io/instance: che + app.kubernetes.io/name: che + app.kubernetes.io/part-of: che.eclipse.org + name: eclipse-che-view +rules: +- apiGroups: + - org.eclipse.che + resources: + - checlusters + verbs: + - get + - list + - watch +- apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + verbs: + - get + - list + - watch +- apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - devworkspaceoperatorconfigs + verbs: + - get + - list + - watch +- apiGroups: + - che.eclipse.org + resources: + - kubernetesimagepullers + verbs: + - get + - list + - watch +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - watch +- apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests + - packagemanifests/icon + verbs: + - get + - list + - watch +- apiGroups: + - operator.openshift.io + resources: + - cloudcredentials + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - infrastructures + - authentications + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +- apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - persistentvolumeclaims + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - template.openshift.io + resources: + - templates + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: diff --git a/deploy/deployment/kubernetes/objects/eclipse-che-edit.ClusterRole.yaml b/deploy/deployment/kubernetes/objects/eclipse-che-edit.ClusterRole.yaml new file mode 100644 index 0000000000..949141ede2 --- /dev/null +++ b/deploy/deployment/kubernetes/objects/eclipse-che-edit.ClusterRole.yaml @@ -0,0 +1,253 @@ +# +# Copyright (c) 2019-2024 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: che + app.kubernetes.io/instance: che + app.kubernetes.io/name: che + app.kubernetes.io/part-of: che.eclipse.org + name: eclipse-che-edit +rules: +- apiGroups: + - org.eclipse.che + resources: + - checlusters + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - devworkspaceoperatorconfigs + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - che.eclipse.org + resources: + - kubernetesimagepullers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests + - packagemanifests/icon + verbs: + - get + - list + - watch +- apiGroups: + - operator.openshift.io + resources: + - cloudcredentials + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - infrastructures + - authentications + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get +- apiGroups: + - "" + resources: + - configmaps + - persistentvolumeclaims + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - template.openshift.io + resources: + - templates + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch diff --git a/deploy/deployment/kubernetes/objects/eclipse-che-view.ClusterRole.yaml b/deploy/deployment/kubernetes/objects/eclipse-che-view.ClusterRole.yaml new file mode 100644 index 0000000000..1d238a2edc --- /dev/null +++ b/deploy/deployment/kubernetes/objects/eclipse-che-view.ClusterRole.yaml @@ -0,0 +1,185 @@ +# +# Copyright (c) 2019-2024 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: che + app.kubernetes.io/instance: che + app.kubernetes.io/name: che + app.kubernetes.io/part-of: che.eclipse.org + name: eclipse-che-view +rules: +- apiGroups: + - org.eclipse.che + resources: + - checlusters + verbs: + - get + - list + - watch +- apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + verbs: + - get + - list + - watch +- apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - devworkspaceoperatorconfigs + verbs: + - get + - list + - watch +- apiGroups: + - che.eclipse.org + resources: + - kubernetesimagepullers + verbs: + - get + - list + - watch +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - watch +- apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests + - packagemanifests/icon + verbs: + - get + - list + - watch +- apiGroups: + - operator.openshift.io + resources: + - cloudcredentials + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - infrastructures + - authentications + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +- apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - persistentvolumeclaims + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - template.openshift.io + resources: + - templates + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch diff --git a/deploy/deployment/openshift/combined.yaml b/deploy/deployment/openshift/combined.yaml index 3aae172606..b2fd301427 100644 --- a/deploy/deployment/openshift/combined.yaml +++ b/deploy/deployment/openshift/combined.yaml @@ -9769,6 +9769,422 @@ rules: - create --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: che + app.kubernetes.io/instance: che + app.kubernetes.io/name: che + app.kubernetes.io/part-of: che.eclipse.org + name: eclipse-che-edit +rules: +- apiGroups: + - org.eclipse.che + resources: + - checlusters + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - devworkspaceoperatorconfigs + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - che.eclipse.org + resources: + - kubernetesimagepullers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests + - packagemanifests/icon + verbs: + - get + - list + - watch +- apiGroups: + - operator.openshift.io + resources: + - cloudcredentials + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - infrastructures + - authentications + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get +- apiGroups: + - "" + resources: + - configmaps + - persistentvolumeclaims + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - template.openshift.io + resources: + - templates + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: che + app.kubernetes.io/instance: che + app.kubernetes.io/name: che + app.kubernetes.io/part-of: che.eclipse.org + name: eclipse-che-view +rules: +- apiGroups: + - org.eclipse.che + resources: + - checlusters + verbs: + - get + - list + - watch +- apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + verbs: + - get + - list + - watch +- apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - devworkspaceoperatorconfigs + verbs: + - get + - list + - watch +- apiGroups: + - che.eclipse.org + resources: + - kubernetesimagepullers + verbs: + - get + - list + - watch +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - watch +- apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests + - packagemanifests/icon + verbs: + - get + - list + - watch +- apiGroups: + - operator.openshift.io + resources: + - cloudcredentials + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - infrastructures + - authentications + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +- apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - persistentvolumeclaims + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - template.openshift.io + resources: + - templates + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: diff --git a/deploy/deployment/openshift/objects/eclipse-che-edit.ClusterRole.yaml b/deploy/deployment/openshift/objects/eclipse-che-edit.ClusterRole.yaml new file mode 100644 index 0000000000..949141ede2 --- /dev/null +++ b/deploy/deployment/openshift/objects/eclipse-che-edit.ClusterRole.yaml @@ -0,0 +1,253 @@ +# +# Copyright (c) 2019-2024 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: che + app.kubernetes.io/instance: che + app.kubernetes.io/name: che + app.kubernetes.io/part-of: che.eclipse.org + name: eclipse-che-edit +rules: +- apiGroups: + - org.eclipse.che + resources: + - checlusters + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - devworkspaceoperatorconfigs + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - che.eclipse.org + resources: + - kubernetesimagepullers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests + - packagemanifests/icon + verbs: + - get + - list + - watch +- apiGroups: + - operator.openshift.io + resources: + - cloudcredentials + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - infrastructures + - authentications + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get +- apiGroups: + - "" + resources: + - configmaps + - persistentvolumeclaims + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - template.openshift.io + resources: + - templates + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch diff --git a/deploy/deployment/openshift/objects/eclipse-che-view.ClusterRole.yaml b/deploy/deployment/openshift/objects/eclipse-che-view.ClusterRole.yaml new file mode 100644 index 0000000000..1d238a2edc --- /dev/null +++ b/deploy/deployment/openshift/objects/eclipse-che-view.ClusterRole.yaml @@ -0,0 +1,185 @@ +# +# Copyright (c) 2019-2024 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: che + app.kubernetes.io/instance: che + app.kubernetes.io/name: che + app.kubernetes.io/part-of: che.eclipse.org + name: eclipse-che-view +rules: +- apiGroups: + - org.eclipse.che + resources: + - checlusters + verbs: + - get + - list + - watch +- apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + verbs: + - get + - list + - watch +- apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - devworkspaceoperatorconfigs + verbs: + - get + - list + - watch +- apiGroups: + - che.eclipse.org + resources: + - kubernetesimagepullers + verbs: + - get + - list + - watch +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - watch +- apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests + - packagemanifests/icon + verbs: + - get + - list + - watch +- apiGroups: + - operator.openshift.io + resources: + - cloudcredentials + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - infrastructures + - authentications + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +- apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - persistentvolumeclaims + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - template.openshift.io + resources: + - templates + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch diff --git a/helmcharts/next/templates/eclipse-che-edit.ClusterRole.yaml b/helmcharts/next/templates/eclipse-che-edit.ClusterRole.yaml new file mode 100644 index 0000000000..949141ede2 --- /dev/null +++ b/helmcharts/next/templates/eclipse-che-edit.ClusterRole.yaml @@ -0,0 +1,253 @@ +# +# Copyright (c) 2019-2024 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: che + app.kubernetes.io/instance: che + app.kubernetes.io/name: che + app.kubernetes.io/part-of: che.eclipse.org + name: eclipse-che-edit +rules: +- apiGroups: + - org.eclipse.che + resources: + - checlusters + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - devworkspaceoperatorconfigs + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - che.eclipse.org + resources: + - kubernetesimagepullers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests + - packagemanifests/icon + verbs: + - get + - list + - watch +- apiGroups: + - operator.openshift.io + resources: + - cloudcredentials + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - infrastructures + - authentications + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get +- apiGroups: + - "" + resources: + - configmaps + - persistentvolumeclaims + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - template.openshift.io + resources: + - templates + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch diff --git a/helmcharts/next/templates/eclipse-che-view.ClusterRole.yaml b/helmcharts/next/templates/eclipse-che-view.ClusterRole.yaml new file mode 100644 index 0000000000..1d238a2edc --- /dev/null +++ b/helmcharts/next/templates/eclipse-che-view.ClusterRole.yaml @@ -0,0 +1,185 @@ +# +# Copyright (c) 2019-2024 Red Hat, Inc. +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# +# Contributors: +# Red Hat, Inc. - initial API and implementation +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: che + app.kubernetes.io/instance: che + app.kubernetes.io/name: che + app.kubernetes.io/part-of: che.eclipse.org + name: eclipse-che-view +rules: +- apiGroups: + - org.eclipse.che + resources: + - checlusters + verbs: + - get + - list + - watch +- apiGroups: + - workspace.devfile.io + resources: + - devworkspaces + - devworkspacetemplates + verbs: + - get + - list + - watch +- apiGroups: + - controller.devfile.io + resources: + - devworkspaceroutings + - devworkspaceoperatorconfigs + verbs: + - get + - list + - watch +- apiGroups: + - che.eclipse.org + resources: + - kubernetesimagepullers + verbs: + - get + - list + - watch +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - catalogsources + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - watch +- apiGroups: + - packages.operators.coreos.com + resources: + - packagemanifests + - packagemanifests/icon + verbs: + - get + - list + - watch +- apiGroups: + - operator.openshift.io + resources: + - cloudcredentials + verbs: + - get + - list + - watch +- apiGroups: + - config.openshift.io + resources: + - infrastructures + - authentications + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +- apiGroups: + - project.openshift.io + resources: + - projects + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - persistentvolumeclaims + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - template.openshift.io + resources: + - templates + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch