Update hub-cluster-robot permissions (#30)

Signed-off-by: Rokibul Hasan <mdrokibulhasan@appscode.com>
kluster-manager · Sep 17, 2024 · dbd36fe · dbd36fe
1 parent 20aaa8d
commit dbd36fe
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 2 deletions.
diff --git a/charts/hub-cluster-robot/README.md b/charts/hub-cluster-robot/README.md
@@ -50,14 +50,14 @@ The following table lists the configurable parameters of the `hub-cluster-robot`
 | nameOverride          |             | <code>""</code>                                    |
 | fullnameOverride      |             | <code>""</code>                                    |
 | kubeconfigSecretName  |             | <code>""</code>                                    |
-| addonManagerNamespace |             | <code>open-cluster-management-cluster-auth</code>  |
+| addonManagerNamespace |             | <code>open-cluster-management</code>               |
 | kubectl.image         |             | <code>ghcr.io/appscode/kubectl-nonroot:1.25</code> |
 
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example:
 
 ```bash
-$ helm upgrade -i hub-cluster-robot appscode/hub-cluster-robot -n open-cluster-management --create-namespace --version=v2024.8.9 --set addonManagerNamespace=open-cluster-management-cluster-auth
+$ helm upgrade -i hub-cluster-robot appscode/hub-cluster-robot -n open-cluster-management --create-namespace --version=v2024.8.9 --set addonManagerNamespace=open-cluster-management
 ```
 
 Alternatively, a YAML file that specifies the values for the parameters can be provided while

diff --git a/charts/hub-cluster-robot/common/rbac/role.yaml b/charts/hub-cluster-robot/common/rbac/role.yaml
@@ -7,6 +7,17 @@ rules:
   - apiGroups: [""]
     resources: ["secrets", "serviceaccounts"]
     verbs: ["get", "list", "watch"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: open-cluster-management:hub-cluster-robot:cluster-auth
+rules:
   - apiGroups: [ "authentication.k8s.appscode.com" ]
     resources: [ "*" ]
     verbs: [ "*" ]
+  - apiGroups: [ "cluster.open-cluster-management.io" ]
+    resources: [ "managedclusters", "managedclustersets" ]
+    verbs: [ "get", "list", "watch" ]
diff --git a/charts/hub-cluster-robot/common/rbac/role_binding.yaml b/charts/hub-cluster-robot/common/rbac/role_binding.yaml
@@ -11,3 +11,18 @@ subjects:
   - kind: ServiceAccount
     name: hub-cluster-robot
     namespace: {{ include "hub-cluster-robot.namespace" . }}
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: open-cluster-management:hub-cluster-robot:cluster-auth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: open-cluster-management:hub-cluster-robot:cluster-auth
+subjects:
+  - kind: ServiceAccount
+    name: hub-cluster-robot
+    namespace: {{ include "hub-cluster-robot.namespace" . }}