fix(rbac): adjust access on TeamRole & TeamRoleBindings for org membe…

…rs & cluster admins (#647) * fix(rbac): allow org members to view TeamRole & TeamRoleBindings * fix(rbac): grant permissions on TeamRoles to cluster admins * refactor: combine sections of the same group
cloudoperators · Oct 23, 2024 · 433bf97 · 433bf97
1 parent 565d851
commit 433bf97
Showing 1 changed file with 3 additions and 15 deletions.
diff --git a/pkg/rbac/role.go b/pkg/rbac/role.go
@@ -32,12 +32,6 @@ func OrganizationAdminPolicyRules() []rbacv1.PolicyRule {
 			APIGroups: []string{"rbac.authorization.k8s.io"},
 			Resources: []string{"rolebindings"},
 		},
-		// Grant permission for TeamRoles
-		{
-			Verbs:     []string{"get", "list", "watch", "update", "patch", "delete", "create"},
-			APIGroups: []string{greenhouseapisv1alpha1.GroupVersion.Group},
-			Resources: []string{"teamroles"},
-		},
 		// Grant permission to view Alertmanager and AlertmanagerConfig resources
 		{
 			Verbs:     []string{"get", "list", "watch"},
@@ -59,11 +53,11 @@ func OrganizationAdminPolicyRules() []rbacv1.PolicyRule {
 // OrganizationClusterAdminPolicyRules returns the namespace-scoped PolicyRules for an organization cluster admin.
 func OrganizationClusterAdminPolicyRules() []rbacv1.PolicyRule {
 	policyRules := []rbacv1.PolicyRule{
-		// Grant read permissions for Clusters to organization cluster admins.
+		// Grant CRUD Permissions for Clusters, TeamRoles and TeamRoleBindings
 		{
 			Verbs:     []string{"get", "list", "watch", "update", "patch", "delete", "create"},
 			APIGroups: []string{greenhouseapisv1alpha1.GroupVersion.Group},
-			Resources: []string{"clusters"},
+			Resources: []string{"clusters", "teamroles", "teamrolebindings"},
 		},
 		// Grant permissions for secrets referenced by other resources, e.g. Plugins for storing sensitive values.
 		// Retrieving these secrets is not permitted to the user.
@@ -72,12 +66,6 @@ func OrganizationClusterAdminPolicyRules() []rbacv1.PolicyRule {
 			APIGroups: []string{corev1.GroupName},
 			Resources: []string{"secrets"},
 		},
-		// Grant permission for TeamRoleBindings
-		{
-			Verbs:     []string{"get", "list", "watch", "update", "patch", "delete", "create"},
-			APIGroups: []string{greenhouseapisv1alpha1.GroupVersion.Group},
-			Resources: []string{"teamrolebindings"},
-		},
 	}
 	return append(OrganizationMemberPolicyRules(), policyRules...)
 }
@@ -109,7 +97,7 @@ func OrganizationMemberPolicyRules() []rbacv1.PolicyRule {
 		{
 			Verbs:     []string{"get", "list", "watch"},
 			APIGroups: []string{greenhouseapisv1alpha1.GroupVersion.Group},
-			Resources: []string{"clusters", "plugins", "pluginpresets", "teams", "teammemberships"},
+			Resources: []string{"clusters", "plugins", "pluginpresets", "teams", "teammemberships", "teamroles", "teamrolebindings"},
 		},
 	}
 }