kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: admin-cannot-create-subscription rules: - verbs: - update - patch - delete apiGroups: - operators.coreos.com resources: - subscriptions - verbs: - delete apiGroups: - operators.coreos.com resources: - clusterserviceversions - catalogsources - installplans - verbs: - get - list - watch apiGroups: - operators.coreos.com resources: - clusterserviceversions - catalogsources - installplans - subscriptions - operatorgroups - verbs: - get - list - watch apiGroups: - packages.operators.coreos.com resources: - packagemanifests - packagemanifests/icon - verbs: - create - update - patch - delete apiGroups: - packages.operators.coreos.com resources: - packagemanifests - verbs: - create - delete - deletecollection - get - list - patch - update - watch apiGroups: - '' resources: - secrets - serviceaccounts - verbs: - create - delete - deletecollection - get - list - patch - update - watch apiGroups: - '' - image.openshift.io resources: - imagestreamimages - imagestreammappings - imagestreams - imagestreams/secrets - imagestreamtags - imagetags - verbs: - create apiGroups: - '' - image.openshift.io resources: - imagestreamimports - verbs: - get - update apiGroups: - '' - image.openshift.io resources: - imagestreams/layers - verbs: - get apiGroups: - '' resources: - namespaces - verbs: - get apiGroups: - '' - project.openshift.io resources: - projects - verbs: - create - update - patch - delete apiGroups: - core.libopenstorage.org resources: - storageclusters - verbs: - create - update - patch - delete apiGroups: - core.libopenstorage.org resources: - storagenodes - verbs: - get - list - watch apiGroups: - '' resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy - verbs: - impersonate apiGroups: - '' resources: - serviceaccounts - verbs: - create - delete - deletecollection - patch - update apiGroups: - '' resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy - verbs: - create - delete - deletecollection - patch - update apiGroups: - '' resources: - configmaps - endpoints - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy - verbs: - create - delete - deletecollection - patch - update apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale - verbs: - create - delete - deletecollection - patch - update apiGroups: - autoscaling resources: - horizontalpodautoscalers - verbs: - create - delete - deletecollection - patch - update apiGroups: - batch resources: - cronjobs - jobs - verbs: - create - delete - deletecollection - patch - update apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale - verbs: - create - delete - deletecollection - patch - update apiGroups: - policy resources: - poddisruptionbudgets - verbs: - create - delete - deletecollection - patch - update apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies - verbs: - get - list - watch apiGroups: - metrics.k8s.io resources: - pods - nodes - verbs: - create apiGroups: - '' - image.openshift.io resources: - imagestreams - verbs: - update apiGroups: - '' - build.openshift.io resources: - builds/details - verbs: - get apiGroups: - '' - build.openshift.io resources: - builds - verbs: - get - list - watch - create - update - patch - delete - deletecollection apiGroups: - snapshot.storage.k8s.io resources: - volumesnapshots - verbs: - create - delete - deletecollection - get - list - patch - update - watch apiGroups: - '' - build.openshift.io resources: - buildconfigs - buildconfigs/webhooks - builds - verbs: - get - list - watch apiGroups: - '' - build.openshift.io resources: - builds/log - verbs: - create apiGroups: - '' - build.openshift.io resources: - buildconfigs/instantiate - buildconfigs/instantiatebinary - builds/clone - verbs: - edit - view apiGroups: - build.openshift.io resources: - jenkins - verbs: - create - delete - deletecollection - get - list - patch - update - watch apiGroups: - '' - apps.openshift.io resources: - deploymentconfigs - deploymentconfigs/scale - verbs: - create apiGroups: - '' - apps.openshift.io resources: - deploymentconfigrollbacks - deploymentconfigs/instantiate - deploymentconfigs/rollback - verbs: - get - list - watch apiGroups: - '' - apps.openshift.io resources: - deploymentconfigs/log - deploymentconfigs/status - verbs: - get - list - watch apiGroups: - '' - image.openshift.io resources: - imagestreams/status - verbs: - get - list - watch apiGroups: - '' - quota.openshift.io resources: - appliedclusterresourcequotas - verbs: - create - delete - deletecollection - get - list - patch - update - watch apiGroups: - '' - route.openshift.io resources: - routes - verbs: - create apiGroups: - '' - route.openshift.io resources: - routes/custom-host - verbs: - get - list - watch apiGroups: - '' - route.openshift.io resources: - routes/status - verbs: - create - delete - deletecollection - get - list - patch - update - watch apiGroups: - '' - template.openshift.io resources: - processedtemplates - templateconfigs - templateinstances - templates - verbs: - create - delete - deletecollection - get - list - patch - update - watch apiGroups: - networking.k8s.io resources: - networkpolicies - verbs: - create - delete - deletecollection - get - list - patch - update - watch apiGroups: - '' - build.openshift.io resources: - buildlogs - verbs: - get - list - watch apiGroups: - '' resources: - resourcequotausages - verbs: - get - list - watch apiGroups: - packages.operators.coreos.com resources: - packagemanifests - verbs: - get - list - watch apiGroups: - '' - image.openshift.io resources: - imagestreamimages - imagestreammappings - imagestreams - imagestreamtags - imagetags - verbs: - get apiGroups: - '' - image.openshift.io resources: - imagestreams/layers - verbs: - get apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions resourceNames: - storageclusters.core.libopenstorage.org - verbs: - get - list - watch apiGroups: - core.libopenstorage.org resources: - storageclusters - verbs: - get apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions resourceNames: - storagenodes.core.libopenstorage.org - verbs: - get - list - watch apiGroups: - core.libopenstorage.org resources: - storagenodes - verbs: - get - list - watch apiGroups: - '' resources: - configmaps - endpoints - persistentvolumeclaims - persistentvolumeclaims/status - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services - services/status - verbs: - get - list - watch apiGroups: - '' resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status - verbs: - get - list - watch apiGroups: - '' resources: - namespaces - verbs: - get - list - watch apiGroups: - apps resources: - controllerrevisions - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - replicasets - replicasets/scale - replicasets/status - statefulsets - statefulsets/scale - statefulsets/status - verbs: - get - list - watch apiGroups: - autoscaling resources: - horizontalpodautoscalers - horizontalpodautoscalers/status - verbs: - get - list - watch apiGroups: - batch resources: - cronjobs - cronjobs/status - jobs - jobs/status - verbs: - get - list - watch apiGroups: - extensions resources: - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - ingresses - ingresses/status - networkpolicies - replicasets - replicasets/scale - replicasets/status - replicationcontrollers/scale - verbs: - get - list - watch apiGroups: - policy resources: - poddisruptionbudgets - poddisruptionbudgets/status - verbs: - get - list - watch apiGroups: - networking.k8s.io resources: - ingresses - ingresses/status - networkpolicies - verbs: - get - list - watch apiGroups: - snapshot.storage.k8s.io resources: - volumesnapshots - verbs: - get - list - watch apiGroups: - '' - build.openshift.io resources: - buildconfigs - buildconfigs/webhooks - builds - verbs: - view apiGroups: - build.openshift.io resources: - jenkins - verbs: - get - list - watch apiGroups: - '' - apps.openshift.io resources: - deploymentconfigs - deploymentconfigs/scale - verbs: - get - list - watch apiGroups: - '' - route.openshift.io resources: - routes - verbs: - get - list - watch apiGroups: - '' - template.openshift.io resources: - processedtemplates - templateconfigs - templateinstances - templates - verbs: - get - list - watch apiGroups: - '' - build.openshift.io resources: - buildlogs - verbs: - '*' apiGroups: - packages.operators.coreos.com resources: - packagemanifests - verbs: - create - delete - deletecollection - get - list - patch - update - watch apiGroups: - '' - authorization.openshift.io resources: - rolebindings - roles - verbs: - create - delete - deletecollection - get - list - patch - update - watch apiGroups: - rbac.authorization.k8s.io resources: - rolebindings - roles - verbs: - create apiGroups: - '' - authorization.openshift.io resources: - localresourceaccessreviews - localsubjectaccessreviews - subjectrulesreviews - verbs: - create apiGroups: - authorization.k8s.io resources: - localsubjectaccessreviews - verbs: - delete - get apiGroups: - '' - project.openshift.io resources: - projects - verbs: - create apiGroups: - '' - authorization.openshift.io resources: - resourceaccessreviews - subjectaccessreviews - verbs: - '*' apiGroups: - core.libopenstorage.org resources: - storageclusters - verbs: - '*' apiGroups: - core.libopenstorage.org resources: - storagenodes - verbs: - create apiGroups: - '' - security.openshift.io resources: - podsecuritypolicyreviews - podsecuritypolicyselfsubjectreviews - podsecuritypolicysubjectreviews - verbs: - get - list - watch apiGroups: - '' - authorization.openshift.io resources: - rolebindingrestrictions - verbs: - admin - edit - view apiGroups: - build.openshift.io resources: - jenkins - verbs: - delete - get - patch - update apiGroups: - '' - project.openshift.io resources: - projects - verbs: - update apiGroups: - '' - route.openshift.io resources: - routes/status