first go at adding in the clusterrole for cli access

kabanero-io · Jun 12, 2020 · 17fe36a · 17fe36a
1 parent adb767e
commit 17fe36a
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 0 deletions.
diff --git a/config/orchestrations/cli-services/0.2/kabanero-cli.yaml b/config/orchestrations/cli-services/0.2/kabanero-cli.yaml
@@ -88,6 +88,13 @@ rules:
   - '*'
   verbs:
   - '*'
+- apiGroups:
+  - kabanero.io
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
 ---
 apiVersion: v1
 kind: ServiceAccount

diff --git a/deploy/kabanero-customresources.yaml b/deploy/kabanero-customresources.yaml
@@ -556,3 +556,25 @@ subjects:
 - kind: ServiceAccount
   name: event-listener
   namespace: kabanero
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kabanero-cli-service-deployments-role
+  namespace: kabanero
+  labels:
+    kabanero.io/install: 27-cli-service-role
+subjects:
+- kind: ServiceAccount
+- name: kabanero-cli
+- namespace: kabanero
+rules:
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+
diff --git a/pkg/controller/kabaneroplatform/targetnamespaces.go b/pkg/controller/kabaneroplatform/targetnamespaces.go
@@ -69,6 +69,12 @@ func createBindingTemplates(saNamespace string) []targetNamespaceRoleBindingTemp
 			clusterRoleName: "kabanero-pipeline-deploy-role",
 		},
 		// TODO: Second role binding for CLI service
+		{
+			name: "kabanero-cli-deploy-rolebinding"
+			saName: "kabanero-cli"
+			saNamespace: saNamespace,
+			clusterRoleName: "kabanero-cli-service-deployments-role"
+		},
 	}
 }