alo9507 · February 4, 2021 16:01
diff --git a/strimzi-operator.yml b/strimzi-operator.yml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: strimzi-entity-operator
  labels:
    app: strimzi
 rules:
  - apiGroups:
      - "kafka.strimzi.io"
    resources:
      # The entity operator runs the KafkaTopic assembly operator, which needs to access and manage KafkaTopic resources
      - kafkatopics
      - kafkatopics/status
      # The entity operator runs the KafkaUser assembly operator, which needs to access and manage KafkaUser resources
      - kafkausers
      - kafkausers/status
    verbs:
      - get
      - list
      - watch
      - create
      - patch
      - update
      - delete
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      # The entity operator needs to be able to create events
      - create
  - apiGroups:
      - ""
    resources:
      # The entity operator user-operator needs to access and manage secrets to store generated credentials
      - secrets
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update

 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: strimzi-cluster-operator-global
  labels:
    app: strimzi
 rules:
  - apiGroups:
      - "rbac.authorization.k8s.io"
    resources:
      # The cluster operator needs to create and manage cluster role bindings in the case of an install where a user
      # has specified they want their cluster role bindings generated
      - clusterrolebindings
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - storage.k8s.io
    resources:
      # The cluster operator requires "get" permissions to view storage class details
      # This is because only a persistent volume of a supported storage class type can be resized
      - storageclasses
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      # The cluster operator requires "list" permissions to view all nodes in a cluster
      # The listing is used to determine the node addresses when NodePort access is configured
      # These addresses are then exposed in the custom resource states
      - nodes
    verbs:
      - list

 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: strimzi-cluster-operator-namespaced
  labels:
    app: strimzi
 rules:
  - apiGroups:
      - "rbac.authorization.k8s.io"
    resources:
      # The cluster operator needs to access and manage rolebindings to grant Strimzi components cluster permissions
      - rolebindings
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - "rbac.authorization.k8s.io"
    resources:
      # The cluster operator needs to access and manage roles to grant the entity operator permissions
      - roles
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      # The cluster operator needs to access and delete pods, this is to allow it to monitor pod health and coordinate rolling updates
      - pods
      # The cluster operator needs to access and manage service accounts to grant Strimzi components cluster permissions
      - serviceaccounts
      # The cluster operator needs to access and manage config maps for Strimzi components configuration
      - configmaps
      # The cluster operator needs to access and manage services and endpoints to expose Strimzi components to network traffic
      - services
      - endpoints
      # The cluster operator needs to access and manage secrets to handle credentials
      - secrets
      # The cluster operator needs to access and manage persistent volume claims to bind them to Strimzi components for persistent data
      - persistentvolumeclaims
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - "kafka.strimzi.io"
    resources:
      # The cluster operator runs the KafkaAssemblyOperator, which needs to access and manage Kafka resources
      - kafkas
      - kafkas/status
      # The cluster operator runs the KafkaConnectAssemblyOperator, which needs to access and manage KafkaConnect resources
      - kafkaconnects
      - kafkaconnects/status
      # The cluster operator runs the KafkaConnectS2IAssemblyOperator, which needs to access and manage KafkaConnectS2I resources
      - kafkaconnects2is
      - kafkaconnects2is/status
      # The cluster operator runs the KafkaConnectorAssemblyOperator, which needs to access and manage KafkaConnector resources
      - kafkaconnectors
      - kafkaconnectors/status
      # The cluster operator runs the KafkaMirrorMakerAssemblyOperator, which needs to access and manage KafkaMirrorMaker resources
      - kafkamirrormakers
      - kafkamirrormakers/status
      # The cluster operator runs the KafkaBridgeAssemblyOperator, which needs to access and manage BridgeMaker resources
      - kafkabridges
      - kafkabridges/status
      # The cluster operator runs the KafkaMirrorMaker2AssemblyOperator, which needs to access and manage KafkaMirrorMaker2 resources
      - kafkamirrormaker2s
      - kafkamirrormaker2s/status
      # The cluster operator runs the KafkaRebalanceAssemblyOperator, which needs to access and manage KafkaRebalance resources
      - kafkarebalances
      - kafkarebalances/status
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      # The cluster operator needs the extensions api as the operator supports Kubernetes version 1.11+
      # apps/v1 was introduced in Kubernetes 1.14
      - "extensions"
    resources:
      # The cluster operator needs to access and manage deployments to run deployment based Strimzi components
      - deployments
      - deployments/scale
      # The cluster operator needs to access replica sets to manage Strimzi components and to determine error states
      - replicasets
      # The cluster operator needs to access and manage replication controllers to manage replicasets
      - replicationcontrollers
      # The cluster operator needs to access and manage network policies to lock down communication between Strimzi components
      - networkpolicies
      # The cluster operator needs to access and manage ingresses which allow external access to the services in a cluster
      - ingresses
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - "apps"
    resources:
      # The cluster operator needs to access and manage deployments to run deployment based Strimzi components
      - deployments
      - deployments/scale
      - deployments/status
      # The cluster operator needs to access and manage stateful sets to run stateful sets based Strimzi components
      - statefulsets
      # The cluster operator needs to access replica-sets to manage Strimzi components and to determine error states
      - replicasets
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      # The cluster operator needs to be able to create events and delegate permissions to do so
      - events
    verbs:
      - create
  - apiGroups:
      # OpenShift S2I requirements
      - apps.openshift.io
    resources:
      - deploymentconfigs
      - deploymentconfigs/scale
      - deploymentconfigs/status
      - deploymentconfigs/finalizers
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      # OpenShift S2I requirements
      - build.openshift.io
    resources:
      - buildconfigs
      - buildconfigs/instantiate
      - builds
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      # OpenShift S2I requirements
      - image.openshift.io
    resources:
      - imagestreams
      - imagestreams/status
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      # The cluster operator needs to access and manage network policies to lock down communication between Strimzi components
      - networkpolicies
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - route.openshift.io
    resources:
      # The cluster operator needs to access and manage routes to expose Strimzi components for external access
      - routes
      - routes/custom-host
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update
  - apiGroups:
      - policy
    resources:
      # The cluster operator needs to access and manage pod disruption budgets this limits the number of concurrent disruptions
      # that a Strimzi component experiences, allowing for higher availability
      - poddisruptionbudgets
    verbs:
      - get
      - list
      - watch
      - create
      - delete
      - patch
      - update

 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: strimzi-topic-operator
  labels:
    app: strimzi
 rules:
  - apiGroups:
      - "kafka.strimzi.io"
    resources:
      - kafkatopics
    verbs:
      - get
      - list
      - watch
      - create
      - patch
      - update
      - delete
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create

 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: strimzi-kafka-client
  labels:
    app: strimzi
 rules:
  - apiGroups:
      - ""
    resources:
      # The Kafka clients (Connect, Mirror Maker, etc.) require "get" permissions to view the node they are on
      # This information is used to generate a Rack ID (client.rack option) that is used for consuming from the closest
      # replicas when enabled
      - nodes
    verbs:
      - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: strimzi-kafka-broker
  labels:
    app: strimzi
 rules:
  - apiGroups:
      - ""
    resources:
      # The Kafka Brokers require "get" permissions to view the node they are on
      # This information is used to generate a Rack ID that is used for High Availability configurations
      - nodes
    verbs:
      - get
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: strimzi-entity-operator
	labels:
	app: strimzi
	rules:
	- apiGroups:
	- "kafka.strimzi.io"
	resources:
	# The entity operator runs the KafkaTopic assembly operator, which needs to access and manage KafkaTopic resources
	- kafkatopics
	- kafkatopics/status
	# The entity operator runs the KafkaUser assembly operator, which needs to access and manage KafkaUser resources
	- kafkausers
	- kafkausers/status
	verbs:
	- get
	- list
	- watch
	- create
	- patch
	- update
	- delete
	- apiGroups:
	- ""
	resources:
	- events
	verbs:
	# The entity operator needs to be able to create events
	- create
	- apiGroups:
	- ""
	resources:
	# The entity operator user-operator needs to access and manage secrets to store generated credentials
	- secrets
	verbs:
	- get
	- list
	- watch
	- create
	- delete
	- patch
	- update

	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: strimzi-cluster-operator-global
	labels:
	app: strimzi
	rules:
	- apiGroups:
	- "rbac.authorization.k8s.io"
	resources:
	# The cluster operator needs to create and manage cluster role bindings in the case of an install where a user
	# has specified they want their cluster role bindings generated
	- clusterrolebindings
	verbs:
	- get
	- list
	- watch
	- create
	- delete
	- patch
	- update
	- apiGroups:
	- storage.k8s.io
	resources:
	# The cluster operator requires "get" permissions to view storage class details
	# This is because only a persistent volume of a supported storage class type can be resized
	- storageclasses
	verbs:
	- get
	- apiGroups:
	- ""
	resources:
	# The cluster operator requires "list" permissions to view all nodes in a cluster
	# The listing is used to determine the node addresses when NodePort access is configured
	# These addresses are then exposed in the custom resource states
	- nodes
	verbs:
	- list

	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: strimzi-cluster-operator-namespaced
	labels:
	app: strimzi
	rules:
	- apiGroups:
	- "rbac.authorization.k8s.io"
	resources:
	# The cluster operator needs to access and manage rolebindings to grant Strimzi components cluster permissions
	- rolebindings
	verbs:
	- get
	- list
	- watch
	- create
	- delete
	- patch
	- update
	- apiGroups:
	- "rbac.authorization.k8s.io"
	resources:
	# The cluster operator needs to access and manage roles to grant the entity operator permissions
	- roles
	verbs:
	- get
	- list
	- watch
	- create
	- delete
	- patch
	- update
	- apiGroups:
	- ""
	resources:
	# The cluster operator needs to access and delete pods, this is to allow it to monitor pod health and coordinate rolling updates
	- pods
	# The cluster operator needs to access and manage service accounts to grant Strimzi components cluster permissions
	- serviceaccounts
	# The cluster operator needs to access and manage config maps for Strimzi components configuration
	- configmaps
	# The cluster operator needs to access and manage services and endpoints to expose Strimzi components to network traffic
	- services
	- endpoints
	# The cluster operator needs to access and manage secrets to handle credentials
	- secrets
	# The cluster operator needs to access and manage persistent volume claims to bind them to Strimzi components for persistent data
	- persistentvolumeclaims
	verbs:
	- get
	- list
	- watch
	- create
	- delete
	- patch
	- update
	- apiGroups:
	- "kafka.strimzi.io"
	resources:
	# The cluster operator runs the KafkaAssemblyOperator, which needs to access and manage Kafka resources
	- kafkas
	- kafkas/status
	# The cluster operator runs the KafkaConnectAssemblyOperator, which needs to access and manage KafkaConnect resources
	- kafkaconnects
	- kafkaconnects/status
	# The cluster operator runs the KafkaConnectS2IAssemblyOperator, which needs to access and manage KafkaConnectS2I resources
	- kafkaconnects2is
	- kafkaconnects2is/status
	# The cluster operator runs the KafkaConnectorAssemblyOperator, which needs to access and manage KafkaConnector resources
	- kafkaconnectors
	- kafkaconnectors/status
	# The cluster operator runs the KafkaMirrorMakerAssemblyOperator, which needs to access and manage KafkaMirrorMaker resources
	- kafkamirrormakers
	- kafkamirrormakers/status
	# The cluster operator runs the KafkaBridgeAssemblyOperator, which needs to access and manage BridgeMaker resources
	- kafkabridges
	- kafkabridges/status
	# The cluster operator runs the KafkaMirrorMaker2AssemblyOperator, which needs to access and manage KafkaMirrorMaker2 resources
	- kafkamirrormaker2s
	- kafkamirrormaker2s/status
	# The cluster operator runs the KafkaRebalanceAssemblyOperator, which needs to access and manage KafkaRebalance resources
	- kafkarebalances
	- kafkarebalances/status
	verbs:
	- get
	- list
	- watch
	- create
	- delete
	- patch
	- update
	- apiGroups:
	# The cluster operator needs the extensions api as the operator supports Kubernetes version 1.11+
	# apps/v1 was introduced in Kubernetes 1.14
	- "extensions"
	resources:
	# The cluster operator needs to access and manage deployments to run deployment based Strimzi components
	- deployments
	- deployments/scale
	# The cluster operator needs to access replica sets to manage Strimzi components and to determine error states
	- replicasets
	# The cluster operator needs to access and manage replication controllers to manage replicasets
	- replicationcontrollers
	# The cluster operator needs to access and manage network policies to lock down communication between Strimzi components
	- networkpolicies
	# The cluster operator needs to access and manage ingresses which allow external access to the services in a cluster
	- ingresses
	verbs:
	- get
	- list
	- watch
	- create
	- delete
	- patch
	- update
	- apiGroups:
	- "apps"
	resources:
	# The cluster operator needs to access and manage deployments to run deployment based Strimzi components
	- deployments
	- deployments/scale
	- deployments/status
	# The cluster operator needs to access and manage stateful sets to run stateful sets based Strimzi components
	- statefulsets
	# The cluster operator needs to access replica-sets to manage Strimzi components and to determine error states
	- replicasets
	verbs:
	- get
	- list
	- watch
	- create
	- delete
	- patch
	- update
	- apiGroups:
	- ""
	resources:
	# The cluster operator needs to be able to create events and delegate permissions to do so
	- events
	verbs:
	- create
	- apiGroups:
	# OpenShift S2I requirements
	- apps.openshift.io
	resources:
	- deploymentconfigs
	- deploymentconfigs/scale
	- deploymentconfigs/status
	- deploymentconfigs/finalizers
	verbs:
	- get
	- list
	- watch
	- create
	- delete
	- patch
	- update
	- apiGroups:
	# OpenShift S2I requirements
	- build.openshift.io
	resources:
	- buildconfigs
	- buildconfigs/instantiate
	- builds
	verbs:
	- get
	- list
	- watch
	- create
	- delete
	- patch
	- update
	- apiGroups:
	# OpenShift S2I requirements
	- image.openshift.io
	resources:
	- imagestreams
	- imagestreams/status
	verbs:
	- get
	- list
	- watch
	- create
	- delete
	- patch
	- update
	- apiGroups:
	- networking.k8s.io
	resources:
	# The cluster operator needs to access and manage network policies to lock down communication between Strimzi components
	- networkpolicies
	verbs:
	- get
	- list
	- watch
	- create
	- delete
	- patch
	- update
	- apiGroups:
	- route.openshift.io
	resources:
	# The cluster operator needs to access and manage routes to expose Strimzi components for external access
	- routes
	- routes/custom-host
	verbs:
	- get
	- list
	- watch
	- create
	- delete
	- patch
	- update
	- apiGroups:
	- policy
	resources:
	# The cluster operator needs to access and manage pod disruption budgets this limits the number of concurrent disruptions
	# that a Strimzi component experiences, allowing for higher availability
	- poddisruptionbudgets
	verbs:
	- get
	- list
	- watch
	- create
	- delete
	- patch
	- update

	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: strimzi-topic-operator
	labels:
	app: strimzi
	rules:
	- apiGroups:
	- "kafka.strimzi.io"
	resources:
	- kafkatopics
	verbs:
	- get
	- list
	- watch
	- create
	- patch
	- update
	- delete
	- apiGroups:
	- ""
	resources:
	- events
	verbs:
	- create

	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: strimzi-kafka-client
	labels:
	app: strimzi
	rules:
	- apiGroups:
	- ""
	resources:
	# The Kafka clients (Connect, Mirror Maker, etc.) require "get" permissions to view the node they are on
	# This information is used to generate a Rack ID (client.rack option) that is used for consuming from the closest
	# replicas when enabled
	- nodes
	verbs:
	- get
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: strimzi-kafka-broker
	labels:
	app: strimzi
	rules:
	- apiGroups:
	- ""
	resources:
	# The Kafka Brokers require "get" permissions to view the node they are on
	# This information is used to generate a Rack ID that is used for High Availability configurations
	- nodes
	verbs:
	- get