diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 054221a18..c10cac8f0 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -12,14 +12,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - apiGroups: - "" resources: @@ -28,12 +20,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - apiGroups: - monitoring.coreos.com resources: @@ -108,3 +94,35 @@ rules: - patch - update - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: manager-role + namespace: openshift-config +rules: +- apiGroups: + - "" + resourceNames: + - pull-secret + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: manager-role + namespace: openshift-monitoring +rules: +- apiGroups: + - "" + resourceNames: + - cluster-monitoring-config + resources: + - configmaps + verbs: + - get + - list + - watch diff --git a/internal/controller/kokumetricsconfig_controller.go b/internal/controller/kokumetricsconfig_controller.go index 3ba9f02a3..c10098c58 100644 --- a/internal/controller/kokumetricsconfig_controller.go +++ b/internal/controller/kokumetricsconfig_controller.go @@ -726,8 +726,8 @@ func (r *MetricsConfigReconciler) setAuthAndUpload(ctx context.Context, cr *metr // +kubebuilder:rbac:groups=operators.coreos.com,namespace=koku-metrics-operator,resources=clusterserviceversions,verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups=config.openshift.io,resources=clusterversions,verbs=get;list;watch // +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch -// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get -// +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch +// +kubebuilder:rbac:groups=core,resources=secrets,resourceNames=pull-secret,namespace=openshift-config,verbs=get +// +kubebuilder:rbac:groups=core,resources=configmaps,resourceNames=cluster-monitoring-config,namespace=openshift-monitoring,verbs=get;list;watch // +kubebuilder:rbac:groups=core,namespace=koku-metrics-operator,resources=pods;services;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets;serviceaccounts,verbs=create;delete;get;list;patch;update;watch // +kubebuilder:rbac:groups=apps,namespace=koku-metrics-operator,resources=deployments,verbs=get;list;patch;watch // +kubebuilder:rbac:groups=monitoring.coreos.com,resources=prometheuses/api,verbs=get;create;update