Merge pull request #8488 from zalando-incubator/fix-role-sync-rbac

fix RBAC for role-sync-controller

Author: linki

cluster/manifests/deletions.yaml

@@ -324,8 +324,6 @@ post_apply:
 - name: role-sync-controller
   kind: CronJob
   namespace: kube-system
-- name: role-sync-controller
-  kind: ClusterRole
 - name: role-sync-controller
   kind: ClusterRoleBinding
 - name: role-sync-controller

cluster/manifests/role-sync-controller/rbac.yaml

@@ -1,20 +1,5 @@
 {{ if eq .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: role-sync-controller
-  labels:
-    application: kubernetes
-    component: role-sync-controller
-rules:
-- apiGroups: [""]
-  resources: ["namespaces"]
-  verbs: ["list"]
-- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["rolebindings"]
-  verbs: ["get", "create", "update"]
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: role-sync-controller
@@ -24,7 +9,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: role-sync-controller
+  name: poweruser
 subjects:
 - kind: ServiceAccount
   name: role-sync-controller