add appropriate RBAC for the role-sync-controller

Author: demonCoder95

cluster/manifests/deletions.yaml

@@ -313,6 +313,8 @@ post_apply:
 - name: role-sync-controller
   kind: CronJob
   namespace: kube-system
+- name: role-sync-controller
+  kind: ClusterRole
 - name: role-sync-controller
   kind: ClusterRoleBinding
 - name: role-sync-controller

cluster/manifests/role-sync-controller/rbac.yaml

@@ -1,5 +1,40 @@
 {{ if eq .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: role-sync-controller
+  labels:
+    application: kubernetes
+    component: role-sync-controller
+rules:
+  # Allow the controller to list namespaces
+  - apiGroups:
+    - ""
+    resources:
+    - "namespaces"
+    verbs:
+    - "list"
+  # Allow the controller to manage Roles and Rolebindings
+  - apiGroups:
+    - rbac.authorization.k8s.io
+    resources:
+    - roles
+    - rolebindings
+    verbs:
+    - "get"
+    - "create"
+    - "update"
+  # Allow the controller to manage roles based on reading Secrets
+  - apiGroups:
+    - ""
+    resources:
+    - secrets
+    verbs:
+    - "get"
+    - "list"
+    - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: role-sync-controller
@@ -9,7 +44,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: poweruser
+  name: role-sync-controller
 subjects:
 - kind: ServiceAccount
   name: role-sync-controller