From c1ff8e4c4ac23b32e67cd4dff61466fed317ae7f Mon Sep 17 00:00:00 2001
From: nachocano <nachoacano@gmail.com>
Date: Tue, 4 Jun 2019 12:09:44 -0700
Subject: [PATCH 1/3] channelable cluster role

---
 config/200-channelable-clusterrole.yaml       | 25 ++++++++++++++
 config/201-clusterrolebinding.yaml            | 15 +++++++++
 .../200-channelable-clusterrole.yaml          | 33 +++++++++++++++++++
 .../config/200-channelable-clusterrole.yaml   | 33 +++++++++++++++++++
 4 files changed, 106 insertions(+)
 create mode 100644 config/200-channelable-clusterrole.yaml
 create mode 100644 config/channels/in-memory-channel/200-channelable-clusterrole.yaml
 create mode 100644 contrib/kafka/config/200-channelable-clusterrole.yaml

diff --git a/config/200-channelable-clusterrole.yaml b/config/200-channelable-clusterrole.yaml
new file mode 100644
index 00000000000..2cff6834f5b
--- /dev/null
+++ b/config/200-channelable-clusterrole.yaml
@@ -0,0 +1,25 @@
+# Copyright 2019 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Use this aggregated ClusterRole when you need read/write access to "Channelables"
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: channelable
+aggregationRule:
+  clusterRoleSelectors:
+  - matchLabels:
+      duck.knative.dev/channelable: "true"
+rules: [] # Rules are automatically filled in by the controller manager.
+
diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml
index 9dd86d2780b..2fcc95ba1f0 100644
--- a/config/201-clusterrolebinding.yaml
+++ b/config/201-clusterrolebinding.yaml
@@ -42,6 +42,21 @@ roleRef:
 
 ---
 
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: eventing-controller-channelable
+subjects:
+  - kind: ServiceAccount
+    name: eventing-controller
+    namespace: knative-eventing
+roleRef:
+  kind: ClusterRole
+  name: channelable
+  apiGroup: rbac.authorization.k8s.io
+
+---
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
diff --git a/config/channels/in-memory-channel/200-channelable-clusterrole.yaml b/config/channels/in-memory-channel/200-channelable-clusterrole.yaml
new file mode 100644
index 00000000000..af63f60f7ee
--- /dev/null
+++ b/config/channels/in-memory-channel/200-channelable-clusterrole.yaml
@@ -0,0 +1,33 @@
+# Copyright 2019 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: imc-channelable
+  labels:
+    duck.knative.dev/channelable: "true"
+# Do not use this role directly. These rules will be added to the "channelable" role.
+rules:
+  - apiGroups:
+      - messaging.knative.dev
+    resources:
+      - inmemorychannels
+      - inmemorychannels/status
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
diff --git a/contrib/kafka/config/200-channelable-clusterrole.yaml b/contrib/kafka/config/200-channelable-clusterrole.yaml
new file mode 100644
index 00000000000..3d194093ba3
--- /dev/null
+++ b/contrib/kafka/config/200-channelable-clusterrole.yaml
@@ -0,0 +1,33 @@
+# Copyright 2019 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kafka-channelable
+  labels:
+    duck.knative.dev/channelable: "true"
+# Do not use this role directly. These rules will be added to the "channelable" role.
+rules:
+  - apiGroups:
+      - messaging.knative.dev
+    resources:
+      - kafkachannels
+      - kafkachannels/status
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch

From ee23e752b38bd1a356c4cbf7e08cb3acd9ac4f63 Mon Sep 17 00:00:00 2001
From: Nacho Cano <nachoacano@gmail.com>
Date: Tue, 4 Jun 2019 15:42:50 -0700
Subject: [PATCH 2/3] update comment

---
 config/200-channelable-clusterrole.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/200-channelable-clusterrole.yaml b/config/200-channelable-clusterrole.yaml
index 2cff6834f5b..2727f93cf54 100644
--- a/config/200-channelable-clusterrole.yaml
+++ b/config/200-channelable-clusterrole.yaml
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Use this aggregated ClusterRole when you need read/write access to "Channelables"
+# Use this aggregated ClusterRole when you need read and update permissions on "Channelables".
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

From 764d300e76d6af82437695bcfaa277caff518e77 Mon Sep 17 00:00:00 2001
From: nachocano <nachoacano@gmail.com>
Date: Wed, 5 Jun 2019 09:41:17 -0700
Subject: [PATCH 3/3] renaming stuff

---
 ...=> 200-channelable-manipulator-clusterrole.yaml} |  2 +-
 config/200-controller-clusterrole.yaml              | 13 -------------
 config/201-clusterrolebinding.yaml                  |  4 ++--
 ...=> 200-channelable-manipulator-clusterrole.yaml} |  4 ++--
 ...=> 200-channelable-manipulator-clusterrole.yaml} |  4 ++--
 ...=> 200-channelable-manipulator-clusterrole.yaml} |  4 ++--
 6 files changed, 9 insertions(+), 22 deletions(-)
 rename config/{200-channelable-clusterrole.yaml => 200-channelable-manipulator-clusterrole.yaml} (96%)
 rename config/channels/in-memory-channel/{200-channelable-clusterrole.yaml => 200-channelable-manipulator-clusterrole.yaml} (93%)
 rename contrib/kafka/config/{200-channelable-clusterrole.yaml => 200-channelable-manipulator-clusterrole.yaml} (93%)
 rename contrib/natss/config/{200-channelable-clusterrole.yaml => 200-channelable-manipulator-clusterrole.yaml} (93%)

diff --git a/config/200-channelable-clusterrole.yaml b/config/200-channelable-manipulator-clusterrole.yaml
similarity index 96%
rename from config/200-channelable-clusterrole.yaml
rename to config/200-channelable-manipulator-clusterrole.yaml
index 2727f93cf54..044359d0566 100644
--- a/config/200-channelable-clusterrole.yaml
+++ b/config/200-channelable-manipulator-clusterrole.yaml
@@ -16,7 +16,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: channelable
+  name: channelable-manipulator
 aggregationRule:
   clusterRoleSelectors:
   - matchLabels:
diff --git a/config/200-controller-clusterrole.yaml b/config/200-controller-clusterrole.yaml
index 67b99476f9a..cf734475777 100644
--- a/config/200-controller-clusterrole.yaml
+++ b/config/200-controller-clusterrole.yaml
@@ -100,16 +100,3 @@ rules:
       - "get"
       - "list"
       - "watch"
-
-  # Messaging resources and statuses we care about.
-  - apiGroups:
-      - "messaging.knative.dev"
-    resources:
-      - "inmemorychannels"
-      - "inmemorychannels/status"
-    verbs:
-      - "get"
-      - "list"
-      - "watch"
-      - "update"
-      - "patch"
diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml
index 2fcc95ba1f0..76bce8afe4d 100644
--- a/config/201-clusterrolebinding.yaml
+++ b/config/201-clusterrolebinding.yaml
@@ -45,14 +45,14 @@ roleRef:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: eventing-controller-channelable
+  name: eventing-controller-manipulator
 subjects:
   - kind: ServiceAccount
     name: eventing-controller
     namespace: knative-eventing
 roleRef:
   kind: ClusterRole
-  name: channelable
+  name: channelable-manipulator
   apiGroup: rbac.authorization.k8s.io
 
 ---
diff --git a/config/channels/in-memory-channel/200-channelable-clusterrole.yaml b/config/channels/in-memory-channel/200-channelable-manipulator-clusterrole.yaml
similarity index 93%
rename from config/channels/in-memory-channel/200-channelable-clusterrole.yaml
rename to config/channels/in-memory-channel/200-channelable-manipulator-clusterrole.yaml
index af63f60f7ee..ff8e4b5cac8 100644
--- a/config/channels/in-memory-channel/200-channelable-clusterrole.yaml
+++ b/config/channels/in-memory-channel/200-channelable-manipulator-clusterrole.yaml
@@ -15,10 +15,10 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: imc-channelable
+  name: imc-channelable-manipulator
   labels:
     duck.knative.dev/channelable: "true"
-# Do not use this role directly. These rules will be added to the "channelable" role.
+# Do not use this role directly. These rules will be added to the "channelable-manipulator" role.
 rules:
   - apiGroups:
       - messaging.knative.dev
diff --git a/contrib/kafka/config/200-channelable-clusterrole.yaml b/contrib/kafka/config/200-channelable-manipulator-clusterrole.yaml
similarity index 93%
rename from contrib/kafka/config/200-channelable-clusterrole.yaml
rename to contrib/kafka/config/200-channelable-manipulator-clusterrole.yaml
index 3d194093ba3..18e013911ee 100644
--- a/contrib/kafka/config/200-channelable-clusterrole.yaml
+++ b/contrib/kafka/config/200-channelable-manipulator-clusterrole.yaml
@@ -15,10 +15,10 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: kafka-channelable
+  name: kafka-channelable-manipulator
   labels:
     duck.knative.dev/channelable: "true"
-# Do not use this role directly. These rules will be added to the "channelable" role.
+# Do not use this role directly. These rules will be added to the "channelable-manipulator" role.
 rules:
   - apiGroups:
       - messaging.knative.dev
diff --git a/contrib/natss/config/200-channelable-clusterrole.yaml b/contrib/natss/config/200-channelable-manipulator-clusterrole.yaml
similarity index 93%
rename from contrib/natss/config/200-channelable-clusterrole.yaml
rename to contrib/natss/config/200-channelable-manipulator-clusterrole.yaml
index 56e9a94a6d6..d80168a3a05 100644
--- a/contrib/natss/config/200-channelable-clusterrole.yaml
+++ b/contrib/natss/config/200-channelable-manipulator-clusterrole.yaml
@@ -15,10 +15,10 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: natss-channelable
+  name: natss-channelable-manipulator
   labels:
     duck.knative.dev/channelable: "true"
-# Do not use this role directly. These rules will be added to the "channelable" role.
+# Do not use this role directly. These rules will be added to the "channelable-manipulator" role.
 rules:
   - apiGroups:
       - messaging.knative.dev