Remove references to standard Kubernetes cluster roles

Author: rjeberhard

documentation/4.1/content/managing-operators/rbac.md

@@ -141,8 +141,6 @@ the following `ClusterRoleBinding` entries are mapped to a `ClusterRole` grantin
 | | | **Update**: domains (weblogic.oracle), domains/status | |
 | | | **Create**: tokenreviews, selfsubjectrulesreviews | |
 | Operator `nonresource` | Operator `nonresource` | **Get**: /version/* | [^1] |
-| Operator `discovery` | Kubernetes `system:discovery` | **See**: [Kubernetes Discovery Roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles) | [^3] |
-| Operator `auth-delegator` | Kubernetes `system:auth-delegator` | **See**: [Kubernetes Component Roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles) | [^3] |
 
 
 [^1]: The binding is assigned to the operator `ServiceAccount`.

kubernetes/charts/weblogic-operator/templates/_operator-clusterrolebinding-auth-delegator.tpl

@@ -1,4 +1,4 @@
-# Copyright (c) 2018, 2022, Oracle and/or its affiliates.
+# Copyright (c) 2018, 2023, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 {{- if and (not (empty .Capabilities.APIVersions)) (not (.Capabilities.APIVersions.Has "policy/v1")) }}
@@ -14,8 +14,6 @@
 {{- include "operator.operatorClusterRoleOperatorAdmin" . }}
 {{- include "operator.operatorClusterRoleDomainAdmin" . }}
 {{- include "operator.clusterRoleBindingGeneral" . }}
-{{- include "operator.clusterRoleBindingAuthDelegator" . }}
-{{- include "operator.clusterRoleBindingDiscovery" . }}
 {{- if not (eq .domainNamespaceSelectionStrategy "Dedicated") }}
 {{-   include "operator.clusterRoleBindingNonResource" . }}
 {{- end }}

kubernetes/charts/weblogic-operator/templates/_operator-clusterrolebinding-discovery.tpl

@@ -562,59 +562,6 @@ private V1ClusterRoleBinding getExpectedOperatorRoleBindingNonResource() {
                 .apiGroup(KubernetesArtifactUtils.API_GROUP_RBAC));
   }
 
-  @Test
-  void generatesCorrect_operatorRoleBindingDiscovery() {
-    assertThat(
-        getGeneratedFiles().getOperatorRoleBindingDiscovery(),
-        equalTo(getExpectedOperatorRoleBindingDiscovery()));
-  }
-
-  private V1ClusterRoleBinding getExpectedOperatorRoleBindingDiscovery() {
-    return newClusterRoleBinding()
-        .metadata(
-            newObjectMeta()
-                .name(
-                    getInputs().getNamespace() + "-weblogic-operator-clusterrolebinding-discovery")
-                .putLabelsItem(OPERATORNAME_LABEL, getInputs().getNamespace()))
-        .addSubjectsItem(
-            newSubject()
-                .kind("ServiceAccount")
-                .name(getInputs().getServiceAccount())
-                .namespace(getInputs().getNamespace())
-                .apiGroup(""))
-        .roleRef(
-            newClusterRoleRef()
-                .name("system:discovery")
-                .apiGroup(KubernetesArtifactUtils.API_GROUP_RBAC));
-  }
-
-  @Test
-  void generatesCorrect_operatorRoleBindingAuthDelegator() {
-    assertThat(
-        getGeneratedFiles().getOperatorRoleBindingAuthDelegator(),
-        equalTo(getExpectedOperatorRoleBindingAuthDelegator()));
-  }
-
-  private V1ClusterRoleBinding getExpectedOperatorRoleBindingAuthDelegator() {
-    return newClusterRoleBinding()
-        .metadata(
-            newObjectMeta()
-                .name(
-                    getInputs().getNamespace()
-                        + "-weblogic-operator-clusterrolebinding-auth-delegator")
-                .putLabelsItem(OPERATORNAME_LABEL, getInputs().getNamespace()))
-        .addSubjectsItem(
-            newSubject()
-                .kind("ServiceAccount")
-                .name(getInputs().getServiceAccount())
-                .namespace(getInputs().getNamespace())
-                .apiGroup(""))
-        .roleRef(
-            newClusterRoleRef()
-                .name("system:auth-delegator")
-                .apiGroup(KubernetesArtifactUtils.API_GROUP_RBAC));
-  }
-
   @Test
   void generatesCorrect_weblogicOperatorNamespaceRole() {
     assertThat(

kubernetes/charts/weblogic-operator/templates/_operator.tpl

@@ -1,4 +1,4 @@
-// Copyright (c) 2018, 2021, Oracle and/or its affiliates.
+// Copyright (c) 2018, 2023, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.utils;
@@ -82,14 +82,6 @@ public V1ClusterRoleBinding getOperatorRoleBindingNonResource() {
     return securityYaml.getOperatorRoleBindingNonResource();
   }
 
-  public V1ClusterRoleBinding getOperatorRoleBindingDiscovery() {
-    return securityYaml.getOperatorRoleBindingDiscovery();
-  }
-
-  public V1ClusterRoleBinding getOperatorRoleBindingAuthDelegator() {
-    return securityYaml.getOperatorRoleBindingAuthDelegator();
-  }
-
   public V1ClusterRole getWeblogicOperatorNamespaceRole() {
     return securityYaml.getWeblogicOperatorNamespaceRole();
   }

kubernetes/src/test/java/oracle/kubernetes/operator/create/CreateOperatorGeneratedFilesTestBase.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2018, 2021, Oracle and/or its affiliates.
+// Copyright (c) 2018, 2023, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.utils;
@@ -55,16 +55,6 @@ public V1ClusterRoleBinding getOperatorRoleBindingNonResource() {
         .find(inputs.getNamespace() + "-weblogic-operator-clusterrolebinding-nonresource");
   }
 
-  public V1ClusterRoleBinding getOperatorRoleBindingDiscovery() {
-    return getClusterRoleBindings()
-        .find(inputs.getNamespace() + "-weblogic-operator-clusterrolebinding-discovery");
-  }
-
-  public V1ClusterRoleBinding getOperatorRoleBindingAuthDelegator() {
-    return getClusterRoleBindings()
-        .find(inputs.getNamespace() + "-weblogic-operator-clusterrolebinding-auth-delegator");
-  }
-
   public V1ClusterRole getWeblogicOperatorNamespaceRole() {
     return getClusterRoles()
         .find(inputs.getNamespace() + "-weblogic-operator-clusterrole-namespace");