# Copyright Contributors to the Open Cluster Management project apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ .Values.org }}:cluster-lifecycle:clusterlifecycle-state-metrics-v2 rules: # Allow hub to manage configmap for leader selection - apiGroups: - "" resources: - configmaps verbs: - create - update - get - delete - apiGroups: - "" resources: - namespaces verbs: - get # Allow hub to monitor and update status of csr - apiGroups: ["hive.openshift.io"] resources: ["clusterdeployments"] verbs: ["get"] - apiGroups: ["internal.open-cluster-management.io"] resources: ["managedclusterinfos"] verbs: ["get","list","watch"] - apiGroups: ["cluster.open-cluster-management.io"] resources: ["managedclusters"] verbs: ["get","list","watch"] # Allow to query the CVO on the Hub Cluster to get the ClusterId - apiGroups: ["config.openshift.io"] resources: ["clusterversions"] verbs: ["get"] - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] - apiGroups: [""] resources: ["pods","services","endpoints"] verbs: ["get","list","watch"] - apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] verbs: ["create"] # Allow hub to monitor add-ons & manifestworks - apiGroups: ["addon.open-cluster-management.io"] resources: ["managedclusteraddons"] verbs: ["get","list","watch"] - apiGroups: ["work.open-cluster-management.io"] resources: ["manifestworks"] verbs: ["get","list","watch"] - nonResourceURLs: ["/metrics"] verbs: ["get"]