fix up template instance controller permissions

bparees · bparees · commit d7f7eaf351b0 · 2017-11-11T16:09:56.000-05:00
diff --git a/pkg/cmd/server/bootstrappolicy/controller_policy.go b/pkg/cmd/server/bootstrappolicy/controller_policy.go
@@ -156,7 +156,6 @@ func init() {
 		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraTemplateInstanceControllerServiceAccountName},
 		Rules: []rbac.PolicyRule{
 			rbac.NewRule("create").Groups(kAuthzGroup).Resources("subjectaccessreviews").RuleOrDie(),
-			rbac.NewRule("get", "list", "watch").Groups(templateGroup).Resources("subjectaccessreviews").RuleOrDie(),
 			rbac.NewRule("update").Groups(templateGroup).Resources("templateinstances/status").RuleOrDie(),
 			rbac.NewRule("update").Groups(templateGroup).Resources("templateinstances/finalizers").RuleOrDie(),
 		},
diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
@@ -3106,14 +3106,6 @@ items:
     - subjectaccessreviews
     verbs:
     - create
-  - apiGroups:
-    - template.openshift.io
-    resources:
-    - subjectaccessreviews
-    verbs:
-    - get
-    - list
-    - watch
   - apiGroups:
     - template.openshift.io
     resources:
diff --git a/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml b/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml
@@ -3389,15 +3389,6 @@ items:
     - subjectaccessreviews
     verbs:
     - create
-  - apiGroups:
-    - template.openshift.io
-    attributeRestrictions: null
-    resources:
-    - subjectaccessreviews
-    verbs:
-    - get
-    - list
-    - watch
   - apiGroups:
     - template.openshift.io
     attributeRestrictions: null
