update RBAC

On-behalf-of: @SAP christoph.mewes@sap.com

Author: xrstf

charts/init-agent/templates/configcluster/rbac.yaml

@@ -38,56 +38,30 @@ kind: ClusterRole
 metadata:
   name: '{{ template "name" . }}:{{ .Release.Namespace }}'
 rules:
+  # provide access to this workspace
+  - verbs:
+      - access
+    nonResourceURLs:
+      - "/"
+
+  # allow to read the init-agent's own resources
   - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-  - apiGroups:
-      - ""
+      - initialization.kcp.io
     resources:
-      - secrets
+      - inittargets
+      - inittemplates
     verbs:
       - get
       - list
       - watch
-      - create
-      - update
+
+  # allow to issue events on the cluster-scoped init-agent resources
   - apiGroups:
       - ""
     resources:
-      - namespaces
-    verbs:
-      - get
-      - list
-      - watch
-      - create
-  - apiGroups:
-      - apiextensions.k8s.io
-    resources:
-      - customresourcedefinitions
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - syncagent.kcp.io
-    resources:
-      - publishedresources
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - syncagent.kcp.io
-    resources:
-      - publishedresources/status
+      - events
     verbs:
       - create
-      - get
-      - update
       - patch
 
 ---

charts/init-agent/templates/wstcluster/rbac.yaml

@@ -4,6 +4,13 @@ kind: ClusterRole
 metadata:
   name: 'kcp-init-agent:{{ template "name" . }}'
 rules:
+  # provide access to this workspace
+  - verbs:
+      - access
+    nonResourceURLs:
+      - "/"
+
+  # allow to watch and initialize WorkspaceTypes
   - apiGroups:
       - tenancy.kcp.io
     resources: