From fa7a498c2852e2c7c86798f00e170d5194b2093a Mon Sep 17 00:00:00 2001
From: Michal Fojtik <mfojtik@redhat.com>
Date: Thu, 14 Sep 2017 16:12:55 +0200
Subject: [PATCH] allow image-puller role to read image signatures

---
 pkg/cmd/server/bootstrappolicy/policy.go                   | 2 ++
 test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
index 97b1637c26d9..9797f8e531b1 100644
--- a/pkg/cmd/server/bootstrappolicy/policy.go
+++ b/pkg/cmd/server/bootstrappolicy/policy.go
@@ -533,6 +533,8 @@ func GetOpenshiftBootstrapClusterRoles() []rbac.ClusterRole {
 			Rules: []rbac.PolicyRule{
 				// pull images
 				rbac.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagestreams/layers").RuleOrDie(),
+				// read signatures
+				rbac.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagesignatures").RuleOrDie(),
 			},
 		},
 		{
diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
index b2b3edfe24d4..67c1e5844360 100644
--- a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
+++ b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
@@ -1755,6 +1755,13 @@ items:
     - imagestreams/layers
     verbs:
     - get
+  - apiGroups:
+    - ""
+    - image.openshift.io
+    resources:
+    - imagesignatures
+    verbs:
+    - get
 - apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: ClusterRole
   metadata: