From bf44d4744174f13e3b2151743c687bb938815e4e Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Fri, 28 Nov 2025 09:41:34 +0000 Subject: [PATCH 01/14] add dedicated service account to crb, cvo and version pod --- install/0000_00_cluster-version-operator_02_roles.yaml | 2 +- ...00_00_cluster-version-operator_02_service_account.yaml | 8 ++++++++ .../0000_00_cluster-version-operator_03_deployment.yaml | 1 + pkg/cvo/updatepayload.go | 1 + 4 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 install/0000_00_cluster-version-operator_02_service_account.yaml diff --git a/install/0000_00_cluster-version-operator_02_roles.yaml b/install/0000_00_cluster-version-operator_02_roles.yaml index 9396aa6149..14f334f4a2 100644 --- a/install/0000_00_cluster-version-operator_02_roles.yaml +++ b/install/0000_00_cluster-version-operator_02_roles.yaml @@ -11,4 +11,4 @@ roleRef: subjects: - kind: ServiceAccount namespace: openshift-cluster-version - name: default + name: cvo-dedicated-sa diff --git a/install/0000_00_cluster-version-operator_02_service_account.yaml b/install/0000_00_cluster-version-operator_02_service_account.yaml new file mode 100644 index 0000000000..34d90bd18e --- /dev/null +++ b/install/0000_00_cluster-version-operator_02_service_account.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cvo-dedicated-sa + namespace: openshift-cluster-version + annotations: + kubernetes.io/description: Dedicated Service Account for the Cluster Version Operator. + include.release.openshift.io/self-managed-high-availability: "true" \ No newline at end of file diff --git a/install/0000_00_cluster-version-operator_03_deployment.yaml b/install/0000_00_cluster-version-operator_03_deployment.yaml index ff85c55f96..9872e2c1ed 100644 --- a/install/0000_00_cluster-version-operator_03_deployment.yaml +++ b/install/0000_00_cluster-version-operator_03_deployment.yaml @@ -23,6 +23,7 @@ spec: k8s-app: cluster-version-operator spec: automountServiceAccountToken: false + serviceAccountName: cvo-dedicated-sa containers: - name: cluster-version-operator image: '{{.ReleaseImage}}' diff --git a/pkg/cvo/updatepayload.go b/pkg/cvo/updatepayload.go index ace63e7259..3b50081c17 100644 --- a/pkg/cvo/updatepayload.go +++ b/pkg/cvo/updatepayload.go @@ -232,6 +232,7 @@ func (r *payloadRetriever) fetchUpdatePayloadToDir(ctx context.Context, dir stri }, }, Spec: corev1.PodSpec{ + ServiceAccountName: "cvo-dedicated-sa", ActiveDeadlineSeconds: deadline, InitContainers: []corev1.Container{ setContainerDefaults(corev1.Container{ From 29bce17e5f8759348811b20a208724a01496d05c Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Fri, 28 Nov 2025 09:45:04 +0000 Subject: [PATCH 02/14] add new line to keep linter happy --- .../0000_00_cluster-version-operator_02_service_account.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/0000_00_cluster-version-operator_02_service_account.yaml b/install/0000_00_cluster-version-operator_02_service_account.yaml index 34d90bd18e..b8e01093ba 100644 --- a/install/0000_00_cluster-version-operator_02_service_account.yaml +++ b/install/0000_00_cluster-version-operator_02_service_account.yaml @@ -5,4 +5,4 @@ metadata: namespace: openshift-cluster-version annotations: kubernetes.io/description: Dedicated Service Account for the Cluster Version Operator. - include.release.openshift.io/self-managed-high-availability: "true" \ No newline at end of file + include.release.openshift.io/self-managed-high-availability: "true" From 2982ece248503cf3d7c89f760dc7e70f26d6dd5a Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Fri, 28 Nov 2025 09:55:16 +0000 Subject: [PATCH 03/14] add sa to testrendermanifest --- .../testdata/TestRenderManifest_expected_cvo_deployment.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml b/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml index b3f0c40d1b..f721ed09e1 100644 --- a/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml +++ b/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml @@ -23,6 +23,7 @@ spec: k8s-app: cluster-version-operator spec: automountServiceAccountToken: false + serviceAccountName: cvo-dedicated-sa containers: - name: cluster-version-operator image: 'quay.io/cvo/release:latest' From ca25977fb86eaaabf2c901b307861373be407fc9 Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Fri, 28 Nov 2025 14:21:13 +0000 Subject: [PATCH 04/14] add dedicated sa for update payload --- .../0000_00_cluster-version-operator_02_roles.yaml | 13 +++++++++++++ ...cluster-version-operator_02_service_account.yaml | 9 +++++++++ pkg/cvo/updatepayload.go | 2 +- 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/install/0000_00_cluster-version-operator_02_roles.yaml b/install/0000_00_cluster-version-operator_02_roles.yaml index 14f334f4a2..922a8d3bc4 100644 --- a/install/0000_00_cluster-version-operator_02_roles.yaml +++ b/install/0000_00_cluster-version-operator_02_roles.yaml @@ -12,3 +12,16 @@ subjects: - kind: ServiceAccount namespace: openshift-cluster-version name: cvo-dedicated-sa +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cvo-dedicated-sa-scc-privileged-access +subjects: +- kind: ServiceAccount + name: update-payload-dedicated-sa + namespace: openshift-cluster-version +roleRef: + kind: ClusterRole + name: system:openshift:scc:privileged + apiGroup: rbac.authorization.k8s.io diff --git a/install/0000_00_cluster-version-operator_02_service_account.yaml b/install/0000_00_cluster-version-operator_02_service_account.yaml index b8e01093ba..4894718f87 100644 --- a/install/0000_00_cluster-version-operator_02_service_account.yaml +++ b/install/0000_00_cluster-version-operator_02_service_account.yaml @@ -6,3 +6,12 @@ metadata: annotations: kubernetes.io/description: Dedicated Service Account for the Cluster Version Operator. include.release.openshift.io/self-managed-high-availability: "true" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: update-payload-dedicated-sa + namespace: openshift-cluster-version + annotations: + kubernetes.io/description: Dedicated Service Account for the Update Payload. + include.release.openshift.io/self-managed-high-availability: "true" diff --git a/pkg/cvo/updatepayload.go b/pkg/cvo/updatepayload.go index 3b50081c17..d4439830d2 100644 --- a/pkg/cvo/updatepayload.go +++ b/pkg/cvo/updatepayload.go @@ -232,7 +232,7 @@ func (r *payloadRetriever) fetchUpdatePayloadToDir(ctx context.Context, dir stri }, }, Spec: corev1.PodSpec{ - ServiceAccountName: "cvo-dedicated-sa", + ServiceAccountName: "update-payload-dedicated-sa", ActiveDeadlineSeconds: deadline, InitContainers: []corev1.Container{ setContainerDefaults(corev1.Container{ From 825ac6174246111df4ada84e36d5af8962c4cab4 Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Sat, 29 Nov 2025 23:18:28 +0000 Subject: [PATCH 05/14] add cluster-admin clusterrole --- ..._00_cluster-version-operator_02_roles.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/install/0000_00_cluster-version-operator_02_roles.yaml b/install/0000_00_cluster-version-operator_02_roles.yaml index 922a8d3bc4..f082f05c8c 100644 --- a/install/0000_00_cluster-version-operator_02_roles.yaml +++ b/install/0000_00_cluster-version-operator_02_roles.yaml @@ -1,4 +1,25 @@ apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: cluster-admin + labels: + rbac.authorization.k8s.io/aggregate-to-cluster-admin: "true" + kubernetes.io/bootstrapping: rbac-defaults +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +- nonResourceURLs: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-version-operator From 446f19ba3548870962acfcb3b04031bbbabc4bad Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Sun, 30 Nov 2025 20:05:35 +0000 Subject: [PATCH 06/14] remove cluster-admin role from file --- ..._00_cluster-version-operator_02_roles.yaml | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/install/0000_00_cluster-version-operator_02_roles.yaml b/install/0000_00_cluster-version-operator_02_roles.yaml index f082f05c8c..922a8d3bc4 100644 --- a/install/0000_00_cluster-version-operator_02_roles.yaml +++ b/install/0000_00_cluster-version-operator_02_roles.yaml @@ -1,25 +1,4 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - name: cluster-admin - labels: - rbac.authorization.k8s.io/aggregate-to-cluster-admin: "true" - kubernetes.io/bootstrapping: rbac-defaults -rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' -- nonResourceURLs: - - '*' - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-version-operator From bb1602f1bc96ceb01a0b7c8ff495f6cada724828 Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Mon, 1 Dec 2025 09:10:23 +0000 Subject: [PATCH 07/14] add new cluster role with watch feature gate --- ...000_00_cluster-version-operator_02_roles.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/install/0000_00_cluster-version-operator_02_roles.yaml b/install/0000_00_cluster-version-operator_02_roles.yaml index 922a8d3bc4..611ce9fb30 100644 --- a/install/0000_00_cluster-version-operator_02_roles.yaml +++ b/install/0000_00_cluster-version-operator_02_roles.yaml @@ -1,4 +1,18 @@ apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cvo-featuregate-reader +rules: +- apiGroups: + - config.openshift.io + resources: + - featuregates + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-version-operator @@ -7,7 +21,7 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" roleRef: kind: ClusterRole - name: cluster-admin + name: cvo-featuregate-reader subjects: - kind: ServiceAccount namespace: openshift-cluster-version From d7e4cd0779b9524353186b132320fafc62bfd2e8 Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Mon, 1 Dec 2025 13:43:33 +0000 Subject: [PATCH 08/14] re-add cluster-admin --- ...00_00_cluster-version-operator_02_roles.yaml | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/install/0000_00_cluster-version-operator_02_roles.yaml b/install/0000_00_cluster-version-operator_02_roles.yaml index 611ce9fb30..34de8c44ad 100644 --- a/install/0000_00_cluster-version-operator_02_roles.yaml +++ b/install/0000_00_cluster-version-operator_02_roles.yaml @@ -1,18 +1,4 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cvo-featuregate-reader -rules: -- apiGroups: - - config.openshift.io - resources: - - featuregates - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-version-operator @@ -21,7 +7,8 @@ metadata: include.release.openshift.io/self-managed-high-availability: "true" roleRef: kind: ClusterRole - name: cvo-featuregate-reader + name: cluster-admin + apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount namespace: openshift-cluster-version From 5641681d5f9d5dbab11626ab932a300802004661 Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Wed, 3 Dec 2025 13:11:35 +0000 Subject: [PATCH 09/14] rename roles to ensure service account is added first --- ...oles.yaml => 0000_00_cluster-version-operator_03_1_roles.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename install/{0000_00_cluster-version-operator_02_roles.yaml => 0000_00_cluster-version-operator_03_1_roles.yaml} (100%) diff --git a/install/0000_00_cluster-version-operator_02_roles.yaml b/install/0000_00_cluster-version-operator_03_1_roles.yaml similarity index 100% rename from install/0000_00_cluster-version-operator_02_roles.yaml rename to install/0000_00_cluster-version-operator_03_1_roles.yaml From 5fe9198e28831dc8ef98d703077255d6331ac9c1 Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Wed, 3 Dec 2025 13:14:00 +0000 Subject: [PATCH 10/14] rename cvo-dedicated-sa to cluster-version-operator --- .../0000_00_cluster-version-operator_02_service_account.yaml | 2 +- install/0000_00_cluster-version-operator_03_1_roles.yaml | 4 ++-- install/0000_00_cluster-version-operator_03_deployment.yaml | 2 +- .../testdata/TestRenderManifest_expected_cvo_deployment.yaml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/install/0000_00_cluster-version-operator_02_service_account.yaml b/install/0000_00_cluster-version-operator_02_service_account.yaml index 4894718f87..96b8eee99d 100644 --- a/install/0000_00_cluster-version-operator_02_service_account.yaml +++ b/install/0000_00_cluster-version-operator_02_service_account.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: cvo-dedicated-sa + name: cluster-version-operator namespace: openshift-cluster-version annotations: kubernetes.io/description: Dedicated Service Account for the Cluster Version Operator. diff --git a/install/0000_00_cluster-version-operator_03_1_roles.yaml b/install/0000_00_cluster-version-operator_03_1_roles.yaml index 34de8c44ad..f637cf3007 100644 --- a/install/0000_00_cluster-version-operator_03_1_roles.yaml +++ b/install/0000_00_cluster-version-operator_03_1_roles.yaml @@ -12,12 +12,12 @@ roleRef: subjects: - kind: ServiceAccount namespace: openshift-cluster-version - name: cvo-dedicated-sa + name: cluster-version-operator --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: cvo-dedicated-sa-scc-privileged-access + name: cluster-version-operator-scc-privileged-access subjects: - kind: ServiceAccount name: update-payload-dedicated-sa diff --git a/install/0000_00_cluster-version-operator_03_deployment.yaml b/install/0000_00_cluster-version-operator_03_deployment.yaml index 9872e2c1ed..8a373dcc9d 100644 --- a/install/0000_00_cluster-version-operator_03_deployment.yaml +++ b/install/0000_00_cluster-version-operator_03_deployment.yaml @@ -23,7 +23,7 @@ spec: k8s-app: cluster-version-operator spec: automountServiceAccountToken: false - serviceAccountName: cvo-dedicated-sa + serviceAccountName: cluster-version-operator containers: - name: cluster-version-operator image: '{{.ReleaseImage}}' diff --git a/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml b/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml index f721ed09e1..9c037bdd93 100644 --- a/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml +++ b/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml @@ -23,7 +23,7 @@ spec: k8s-app: cluster-version-operator spec: automountServiceAccountToken: false - serviceAccountName: cvo-dedicated-sa + serviceAccountName: cluster-version-operator containers: - name: cluster-version-operator image: 'quay.io/cvo/release:latest' From 6310c457cef67a669426897fedde336c94141d8d Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Thu, 4 Dec 2025 10:02:06 +0000 Subject: [PATCH 11/14] add default sa crb back to test into and out of change test failures --- ...0_00_cluster-version-operator_03_1_roles.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/install/0000_00_cluster-version-operator_03_1_roles.yaml b/install/0000_00_cluster-version-operator_03_1_roles.yaml index f637cf3007..7cc497fb0f 100644 --- a/install/0000_00_cluster-version-operator_03_1_roles.yaml +++ b/install/0000_00_cluster-version-operator_03_1_roles.yaml @@ -16,6 +16,22 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: cluster-version-operator-default-sa + annotations: + kubernetes.io/description: Grant the default service account cluster-admin permissions during transition to dedicated service account. + include.release.openshift.io/self-managed-high-availability: "true" +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + namespace: openshift-cluster-version + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: cluster-version-operator-scc-privileged-access subjects: From b39df2b8533d82a6e1b65d457dd885a2505d9bc8 Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Thu, 4 Dec 2025 15:53:41 +0000 Subject: [PATCH 12/14] add back featuregate read role + remove default crb --- ...0_cluster-version-operator_03_1_roles.yaml | 21 +++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/install/0000_00_cluster-version-operator_03_1_roles.yaml b/install/0000_00_cluster-version-operator_03_1_roles.yaml index 7cc497fb0f..88d3cb3c87 100644 --- a/install/0000_00_cluster-version-operator_03_1_roles.yaml +++ b/install/0000_00_cluster-version-operator_03_1_roles.yaml @@ -1,13 +1,22 @@ apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: featuregate-reader +rules: +- apiGroups: ["config.openshift.io"] + resources: ["featuregates"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: cluster-version-operator + name: cvo-featuregate-binding annotations: - kubernetes.io/description: Grant the cluster-version operator permission to perform cluster-admin actions while managing the OpenShift core. + kubernetes.io/description: Grant the cluster-version operator featuregate specific permissions. include.release.openshift.io/self-managed-high-availability: "true" roleRef: kind: ClusterRole - name: cluster-admin + name: featuregate-reader apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount @@ -17,9 +26,9 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: cluster-version-operator-default-sa + name: cluster-version-operator annotations: - kubernetes.io/description: Grant the default service account cluster-admin permissions during transition to dedicated service account. + kubernetes.io/description: Grant the cluster-version operator permission to perform cluster-admin actions while managing the OpenShift core. include.release.openshift.io/self-managed-high-availability: "true" roleRef: kind: ClusterRole @@ -28,7 +37,7 @@ roleRef: subjects: - kind: ServiceAccount namespace: openshift-cluster-version - name: default + name: cluster-version-operator --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding From 7d69c506739001ad09d0ff719350e5f3a4292e41 Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Fri, 5 Dec 2025 09:33:06 +0000 Subject: [PATCH 13/14] add new reader permissions --- ...0_cluster-version-operator_03_1_roles.yaml | 45 +++++++++++++++++-- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/install/0000_00_cluster-version-operator_03_1_roles.yaml b/install/0000_00_cluster-version-operator_03_1_roles.yaml index 88d3cb3c87..9cdb561da7 100644 --- a/install/0000_00_cluster-version-operator_03_1_roles.yaml +++ b/install/0000_00_cluster-version-operator_03_1_roles.yaml @@ -1,22 +1,59 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: featuregate-reader + name: cvo-required-config-reader rules: - apiGroups: ["config.openshift.io"] - resources: ["featuregates"] + resources: ["featuregates", "clusteroperators", "clusterversions", "proxies", "infrastructures"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cvo-configmap-reader +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cvo-config-configmap-binding + namespace: openshift-config +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cvo-configmap-reader +subjects: +- kind: ServiceAccount + name: cluster-version-operator + namespace: openshift-cluster-version +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cvo-managed-configmap-binding + namespace: openshift-config-managed +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cvo-configmap-reader +subjects: +- kind: ServiceAccount + name: cluster-version-operator + namespace: openshift-cluster-version +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: cvo-featuregate-binding + name: cvo-required-config-binding annotations: kubernetes.io/description: Grant the cluster-version operator featuregate specific permissions. include.release.openshift.io/self-managed-high-availability: "true" roleRef: kind: ClusterRole - name: featuregate-reader + name: cvo-required-config-reader apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount From 0c875cc7891f7ea3507f457ff92e8bcf50165b95 Mon Sep 17 00:00:00 2001 From: Evan Hearne Date: Fri, 5 Dec 2025 14:06:48 +0000 Subject: [PATCH 14/14] add leases role and role binding --- ...0_cluster-version-operator_03_1_roles.yaml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/install/0000_00_cluster-version-operator_03_1_roles.yaml b/install/0000_00_cluster-version-operator_03_1_roles.yaml index 9cdb561da7..2fb975f0b2 100644 --- a/install/0000_00_cluster-version-operator_03_1_roles.yaml +++ b/install/0000_00_cluster-version-operator_03_1_roles.yaml @@ -1,5 +1,28 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: cvo-leader-election +rules: +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "create", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cvo-leader-election-binding + namespace: openshift-cluster-version +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cvo-leader-election +subjects: +- kind: ServiceAccount + name: cluster-version-operator + namespace: openshift-cluster-version +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: cvo-required-config-reader rules: