USC: Allow managing UpdateStatuses

petr-muller · petr-muller · commit 79c914c33e13 · 2025-03-04T17:24:51.000+01:00
...through a ClusterRole / ClusterRoleBinding; UpdateStatus is cluster-scoped
diff --git a/install/0000_00_update-status-controller_02_rbac-DevPreviewNoUpgrade.yaml b/install/0000_00_update-status-controller_02_rbac-DevPreviewNoUpgrade.yaml
@@ -60,32 +60,25 @@ rules:
   - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
   name: update-status-controller
   namespace: openshift-update-status-controller
   annotations:
-    kubernetes.io/description: Grant the update status controller permission to read and observe ConfigMaps, and modify the ConfigMap that serves as UpdateStatus API
+    kubernetes.io/description: Grant the update status controller permission to manage UpdateStatuses
     include.release.openshift.io/self-managed-high-availability: "true"
     release.openshift.io/feature-set: DevPreviewNoUpgrade
 rules:
 - apiGroups:
-  - ""
+  - update.openshift.io
   resources:
-  - configmaps
+  - updatestatuses
   verbs:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  resourceNames:
-  - status-api-cm-prototype
-  verbs:
+  - create
   - patch
-  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -183,20 +176,19 @@ subjects:
   namespace: openshift-update-status-controller
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
   name: update-status-controller-updatestatus-api-manager
-  namespace: openshift-update-status-controller
   annotations:
-    kubernetes.io/description: Grant the update status controller permission to manage the ConfigMap that serves as UpdateStatus API
+    kubernetes.io/description: Grant the update status controller permission to manage UpdateStatus API
     include.release.openshift.io/self-managed-high-availability: "true"
     release.openshift.io/feature-set: DevPreviewNoUpgrade
 subjects:
 - kind: ServiceAccount
   name: update-status-controller
   namespace: openshift-update-status-controller
 roleRef:
-  kind: Role
+  kind: ClusterRole
   name: update-status-controller
   apiGroup: rbac.authorization.k8s.io
 ---
