rbac-role-controller.yaml

{{- $platform := "bmrg" -}}
{{- $product := "flow" -}}
{{- $tier := "rbac" -}}
{{- $values := .Values -}}
{{- $context := . -}}
{{- if $values.workers.security.enable }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "bmrg.name" (dict "context" $context "component" "handler" ) }}
  labels:
    {{- include "bmrg.labels.chart" (dict "context" $context "tier" $tier ) | nindent 4 }}
rules:
{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
- apiGroups:
  - security.openshift.io
  resourceNames:
  - {{ $values.workers.security.policy }}
  resources:
  - securitycontextconstraints
  verbs:
  - use
{{- else }}
- apiGroups:
  - extensions
  resourceNames:
  - {{ $values.workers.security.policy }}
  resources:
  - podsecuritypolicies
  verbs:
  - use
{{- end }}
# objects used to create and execute tasks
  # Handler needs to watch Pods created by TaskRuns to see them progress.
  # logs get/watch are used to stream the pods logs
- apiGroups:
  - ""
  resources: 
  - pods
  - pods/log
  verbs: 
  - get
  - list
  - watch
  # pvc and pv are mentioned as we use auto management of pv
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  - persistentvolumes
  verbs:
  - get
  - list
  - create
  - watch
  - delete
  # all workflow tasks are tekton TaskRuns and Tasks
  # https://github.com/cdfoundation/tekton-helm-chart/blob/master/charts/tekton-pipeline/templates/tekton-pipelines-controller-cluster-access-clusterrole.yaml
- apiGroups:
  - tekton.dev
  resources:
  - tasks
  - taskruns
  - tasks/status
  - taskruns/status
  verbs:
  - get
  - list
  - create
  - update
  - patch
  - watch
  - delete
# configmaps specifically need patch
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - create
  - watch
  - patch
  - delete
{{- end }}