diff --git a/config/200-channelable-manipulator-clusterrole.yaml b/config/200-channelable-manipulator-clusterrole.yaml new file mode 100644 index 00000000000..044359d0566 --- /dev/null +++ b/config/200-channelable-manipulator-clusterrole.yaml @@ -0,0 +1,25 @@ +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Use this aggregated ClusterRole when you need read and update permissions on "Channelables". +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: channelable-manipulator +aggregationRule: + clusterRoleSelectors: + - matchLabels: + duck.knative.dev/channelable: "true" +rules: [] # Rules are automatically filled in by the controller manager. + diff --git a/config/200-controller-clusterrole.yaml b/config/200-controller-clusterrole.yaml index 67b99476f9a..cf734475777 100644 --- a/config/200-controller-clusterrole.yaml +++ b/config/200-controller-clusterrole.yaml @@ -100,16 +100,3 @@ rules: - "get" - "list" - "watch" - - # Messaging resources and statuses we care about. - - apiGroups: - - "messaging.knative.dev" - resources: - - "inmemorychannels" - - "inmemorychannels/status" - verbs: - - "get" - - "list" - - "watch" - - "update" - - "patch" diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml index 9dd86d2780b..76bce8afe4d 100644 --- a/config/201-clusterrolebinding.yaml +++ b/config/201-clusterrolebinding.yaml @@ -42,6 +42,21 @@ roleRef: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: eventing-controller-manipulator +subjects: + - kind: ServiceAccount + name: eventing-controller + namespace: knative-eventing +roleRef: + kind: ClusterRole + name: channelable-manipulator + apiGroup: rbac.authorization.k8s.io + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/config/channels/in-memory-channel/200-channelable-manipulator-clusterrole.yaml b/config/channels/in-memory-channel/200-channelable-manipulator-clusterrole.yaml new file mode 100644 index 00000000000..ff8e4b5cac8 --- /dev/null +++ b/config/channels/in-memory-channel/200-channelable-manipulator-clusterrole.yaml @@ -0,0 +1,33 @@ +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: imc-channelable-manipulator + labels: + duck.knative.dev/channelable: "true" +# Do not use this role directly. These rules will be added to the "channelable-manipulator" role. +rules: + - apiGroups: + - messaging.knative.dev + resources: + - inmemorychannels + - inmemorychannels/status + verbs: + - get + - list + - watch + - update + - patch diff --git a/contrib/kafka/config/200-channelable-manipulator-clusterrole.yaml b/contrib/kafka/config/200-channelable-manipulator-clusterrole.yaml new file mode 100644 index 00000000000..18e013911ee --- /dev/null +++ b/contrib/kafka/config/200-channelable-manipulator-clusterrole.yaml @@ -0,0 +1,33 @@ +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kafka-channelable-manipulator + labels: + duck.knative.dev/channelable: "true" +# Do not use this role directly. These rules will be added to the "channelable-manipulator" role. +rules: + - apiGroups: + - messaging.knative.dev + resources: + - kafkachannels + - kafkachannels/status + verbs: + - get + - list + - watch + - update + - patch diff --git a/contrib/natss/config/200-channelable-clusterrole.yaml b/contrib/natss/config/200-channelable-manipulator-clusterrole.yaml similarity index 93% rename from contrib/natss/config/200-channelable-clusterrole.yaml rename to contrib/natss/config/200-channelable-manipulator-clusterrole.yaml index 56e9a94a6d6..d80168a3a05 100644 --- a/contrib/natss/config/200-channelable-clusterrole.yaml +++ b/contrib/natss/config/200-channelable-manipulator-clusterrole.yaml @@ -15,10 +15,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: natss-channelable + name: natss-channelable-manipulator labels: duck.knative.dev/channelable: "true" -# Do not use this role directly. These rules will be added to the "channelable" role. +# Do not use this role directly. These rules will be added to the "channelable-manipulator" role. rules: - apiGroups: - messaging.knative.dev