Merge pull request #812 from ecordell/admin-perms

openshift-merge-robot · web-flow · commit c718ec855bb2 · 2019-04-15T16:51:05.000-07:00
feat(rbac): restrict permissions for namespace admins
diff --git a/deploy/chart/templates/0000_50_olm_09-aggregated.clusterrole.yaml b/deploy/chart/templates/0000_50_olm_09-aggregated.clusterrole.yaml
@@ -8,8 +8,11 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
 rules:
 - apiGroups: ["operators.coreos.com"]
-  resources: ["clusterserviceversions", "catalogsources", "installplans", "subscriptions", "packagemanifests"]
+  resources: ["subscriptions"]
   verbs: ["create", "update", "patch", "delete"]
+- apiGroups: ["operators.coreos.com"]
+  resources: ["clusterserviceversions", "catalogsources", "installplans", "subscriptions"]
+  verbs: ["delete"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/manifests/0000_50_olm_09-aggregated.clusterrole.yaml b/manifests/0000_50_olm_09-aggregated.clusterrole.yaml
@@ -8,8 +8,11 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
 rules:
 - apiGroups: ["operators.coreos.com"]
-  resources: ["clusterserviceversions", "catalogsources", "installplans", "subscriptions", "packagemanifests"]
+  resources: ["subscriptions"]
   verbs: ["create", "update", "patch", "delete"]
+- apiGroups: ["operators.coreos.com"]
+  resources: ["clusterserviceversions", "catalogsources", "installplans", "subscriptions"]
+  verbs: ["delete"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
