diff --git a/ansible/templates/role.yml.j2 b/ansible/templates/role.yml.j2 index 391ec61b..60c12b0d 100644 --- a/ansible/templates/role.yml.j2 +++ b/ansible/templates/role.yml.j2 @@ -11,7 +11,13 @@ rules: - routes - routes/custom-host verbs: - - '*' + - get + - list + - create + - delete + - patch + - update + - watch - apiGroups: - "" - "rbac.authorization.k8s.io" @@ -28,7 +34,13 @@ rules: - roles - rolebindings verbs: - - '*' + - get + - list + - create + - delete + - patch + - update + - watch - apiGroups: - apps - networking.k8s.io @@ -39,7 +51,13 @@ rules: - statefulsets - ingresses verbs: - - '*' + - get + - list + - create + - delete + - patch + - update + - watch - apiGroups: - monitoring.coreos.com resources: @@ -66,6 +84,8 @@ rules: - "" resources: - pods/exec + - pods/attach + - pods/log # log & attach rules needed to be able to grant them to AWX service account verbs: - create - get @@ -75,6 +95,8 @@ rules: - replicasets verbs: - get + verbs: + - create - apiGroups: - awx.ansible.com resources: diff --git a/deploy/awx-operator.yaml b/deploy/awx-operator.yaml index 4fc65b80..286a537f 100644 --- a/deploy/awx-operator.yaml +++ b/deploy/awx-operator.yaml @@ -621,7 +621,13 @@ rules: - routes - routes/custom-host verbs: - - '*' + - get + - list + - create + - delete + - patch + - update + - watch - apiGroups: - "" - "rbac.authorization.k8s.io" @@ -638,7 +644,13 @@ rules: - roles - rolebindings verbs: - - '*' + - get + - list + - create + - delete + - patch + - update + - watch - apiGroups: - apps - networking.k8s.io @@ -649,7 +661,13 @@ rules: - statefulsets - ingresses verbs: - - '*' + - get + - list + - create + - delete + - patch + - update + - watch - apiGroups: - monitoring.coreos.com resources: @@ -676,6 +694,8 @@ rules: - "" resources: - pods/exec + - pods/attach + - pods/log # log & attach rules needed to be able to grant them to AWX service account verbs: - create - get @@ -685,6 +705,8 @@ rules: - replicasets verbs: - get + verbs: + - create - apiGroups: - awx.ansible.com resources: