[RBAC] move namespace-scoped resource permissions to Roles

Signed-off-by: Tariq Ibrahim <[email protected]>

deployments/gpu-operator/templates/clusterrole.yaml

@@ -9,14 +9,19 @@ rules:
 - apiGroups:
   - config.openshift.io
   resources:
+  - clusterversions
   - proxies
   verbs:
   - get
+- apiGroups:
+  - image.openshift.io
+  resources:
+  - imagestreams
+  verbs:
+  - get
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
-  - roles
-  - rolebindings
   - clusterroles
   - clusterrolebindings
   verbs:
@@ -30,12 +35,7 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - pods
-  - services
   - events
-  - configmaps
-  - secrets
-  - serviceaccounts
   verbs:
   - create
   - get
@@ -68,16 +68,9 @@ rules:
 - apiGroups:
   - apps
   resources:
-  - deployments
   - daemonsets
   verbs:
-  - create
   - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
 - apiGroups:
   - apps
   resources:
@@ -86,18 +79,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - monitoring.coreos.com
-  resources:
-  - servicemonitors
-  - prometheusrules
-  verbs:
-  - get
-  - list
-  - create
-  - watch
-  - update
-  - delete
 - apiGroups:
   - nvidia.com
   resources:
@@ -125,27 +106,6 @@ rules:
   - list
   - watch
   - create
-- apiGroups:
-  - security.openshift.io
-  resources:
-  - securitycontextconstraints
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-  - use
-- apiGroups:
-  - config.openshift.io
-  resources:
-  - clusterversions
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:
@@ -169,14 +129,6 @@ rules:
   - update
   - watch
   - delete
-- apiGroups:
-  - image.openshift.io
-  resources:
-  - imagestreams
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -190,17 +142,6 @@ rules:
   - delete
   - update
   - patch
-- apiGroups:
-  - ""
-  resources:
-  - nodes
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
 - apiGroups:
   - apiextensions.k8s.io
   resources:

deployments/gpu-operator/templates/role.yaml

@@ -0,0 +1,61 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: gpu-operator
+  labels:
+    {{- include "gpu-operator.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "gpu-operator"
+rules:
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - configmaps
+  - secrets
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  - prometheusrules
+  verbs:
+  - get
+  - list
+  - create
+  - watch
+  - update
+  - delete
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+  - use

deployments/gpu-operator/templates/rolebinding.yaml

@@ -0,0 +1,15 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: gpu-operator
+  labels:
+    {{- include "gpu-operator.labels" . | nindent 4 }}
+    app.kubernetes.io/component: "gpu-operator"
+subjects:
+- kind: ServiceAccount
+  name: gpu-operator
+  namespace: {{ $.Release.Namespace }}
+roleRef:
+  kind: Role
+  name: gpu-operator
+  apiGroup: rbac.authorization.k8s.io