Description of problem:

When the Shared Resource CSI driver is deployed by Builds for OpenShift, the cluster admin must grant the CSI driver additional RBAC permissions that are globally cluster-scoped. This is something the operator should take care of.

Workaround: Admin grants the following RBAC to the Shared Resource CSI Driver:

• "create" SubjectAccessReviews
• "get", "list", and "watch" SharedSecret and SharedConfigMap objects

Prerequisites (if any, like setup, operators/versions):

Builds for OpenShift 1.1.0

Steps to Reproduce

1. Deploy Operator
2. Follow the procedure to share a Secret or ConfigMap in a pod as outlined in the OCP 4.16 docs: link

Actual results:

Pod is not created because the CSI driver cannot find the referenced SharedSecret or SharedConfigMap

Expected results:

Pod is not created because the CSI driver can't access the underlying Secret or ConfigMap. This is the new behavior we want to introduce as part of GA-ing the CSI driver.

Reproducibility (Always/Intermittent/Only Once):

Always

Acceptance criteria: 

• Cluster admins do not need to grant the CSI driver permission to create subject access reviews
• Cluster admins do not need to grant the CSI driver permission to get, list, or watch SharedSecret and SharedConfigMap objects

Definition of Done:

Build Details:

Additional info (Such as Logs, Screenshots, etc):