From 486b746324171edd691fd1682ef1221825157e62 Mon Sep 17 00:00:00 2001 From: Samuel Padgett Date: Thu, 11 Jan 2018 15:24:37 -0500 Subject: Add console RBAC template --- files/origin-components/console-rbac-template.yaml | 38 ++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 files/origin-components/console-rbac-template.yaml (limited to 'files/origin-components') diff --git a/files/origin-components/console-rbac-template.yaml b/files/origin-components/console-rbac-template.yaml new file mode 100644 index 000000000..9ee117199 --- /dev/null +++ b/files/origin-components/console-rbac-template.yaml @@ -0,0 +1,38 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: web-console-server-rbac +parameters: +- name: NAMESPACE + # This namespace cannot be changed. Only `openshift-web-console` is supported. + value: openshift-web-console +objects: + + +# allow grant powers to the webconsole server for cluster inspection +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRole + metadata: + name: system:openshift:web-console-server + rules: + - apiGroups: + - "servicecatalog.k8s.io" + resources: + - clusterservicebrokers + verbs: + - get + - list + - watch + +# Grant the service account for the web console +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRoleBinding + metadata: + name: system:openshift:web-console-server + roleRef: + kind: ClusterRole + name: system:openshift:web-console-server + subjects: + - kind: ServiceAccount + namespace: ${NAMESPACE} + name: webconsole -- cgit v1.2.3