fix permissions

class/defaults.yml

@@ -7,11 +7,11 @@ parameters:
       provider:
         registry: ghcr.io
         image: appuio/machine-api-provider-cloudscale
-        tag: v0.2.0-dev
+        tag: v0.2.0-dev3
       controller_deployer:
         registry: ghcr.io
         image: appuio/machine-api-provider-cloudscale
-        tag: v0.2.0-dev
+        tag: v0.2.0-dev3
       kube_rbac_proxy:
         registry: gcr.io
         image: kubebuilder/kube-rbac-proxy

component/main.jsonnet

@@ -15,39 +15,15 @@ local serviceAccount = kube.ServiceAccount('appuio-machine-api-provider-cloudsca
   metadata+: { namespace: params.namespace },
 };
 
-local role = kube.Role('appuio-machine-api-provider-cloudscale') {
-  metadata+: { namespace: params.namespace },
-  rules: [
-    {
-      apiGroups: [ 'machine.openshift.io' ],
-      resources: [ '*' ],
-      verbs: [ '*' ],
-    },
-    {
-      apiGroups: [ 'machine.openshift.io' ],
-      resources: [ 'machines/status' ],
-      verbs: [ 'get', 'patch', 'update' ],
-    },
-    {
-      apiGroups: [ '' ],
-      resources: [ 'secrets' ],
-      verbs: [ 'get', 'list', 'watch' ],
-    },
-    {
-      apiGroups: [ '' ],
-      resources: [ 'configmaps', 'deployments' ],
-      verbs: [ 'get', 'list', 'watch', 'create', 'update', 'patch', 'delete' ],
-    },
-  ],
-};
-
-local roleBinding = kube.RoleBinding('appuio-machine-api-provider-cloudscale') {
-  metadata+: { namespace: params.namespace },
+local clusterRoleBinding = kube.ClusterRoleBinding('appuio-machine-api-provider-cloudscale') {
   subjects_: [ serviceAccount ],
-  roleRef_: role,
+  roleRef: {
+    apiGroup: 'rbac.authorization.k8s.io',
+    kind: 'ClusterRole',
+    name: 'cluster-admin',
+  },
 };
 
-
 local kubeProxyContainer = function(upstreamPort, portName, exposePort) {
   args: [
     '--secure-listen-address=0.0.0.0:%s' % exposePort,
@@ -245,7 +221,6 @@ local deployment = kube._Object('apps/v1', 'Deployment', 'appuio-machine-api-pro
 // Define outputs below
 {
   serviceAccount: serviceAccount,
-  role: role,
-  roleBinding: roleBinding,
+  clusterRoleBinding: clusterRoleBinding,
   deployment: deployment,
 }

tests/golden/defaults/machine-api-provider-cloudscale/machine-api-provider-cloudscale/roleBinding.yaml → tests/golden/defaults/machine-api-provider-cloudscale/machine-api-provider-cloudscale/clusterRoleBinding.yaml

@@ -1,15 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
   annotations: {}
   labels:
     name: appuio-machine-api-provider-cloudscale
   name: appuio-machine-api-provider-cloudscale
-  namespace: openshift-machine-api
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: appuio-machine-api-provider-cloudscale
+  kind: ClusterRole
+  name: cluster-admin
 subjects:
   - kind: ServiceAccount
     name: appuio-machine-api-provider-cloudscale

tests/golden/defaults/machine-api-provider-cloudscale/machine-api-provider-cloudscale/deployment.yaml

@@ -39,7 +39,7 @@ spec:
           command:
             - machine-api-provider-cloudscale
             - -target=manager
-          image: ghcr.io/appuio/machine-api-provider-cloudscale:v0.2.0-dev
+          image: ghcr.io/appuio/machine-api-provider-cloudscale:v0.2.0-dev3
           imagePullPolicy: IfNotPresent
           livenessProbe:
             httpGet:
@@ -71,7 +71,7 @@ spec:
           command:
             - machine-api-provider-cloudscale
             - -target=machine-api-controllers-manager
-          image: ghcr.io/appuio/machine-api-provider-cloudscale:v0.2.0-dev
+          image: ghcr.io/appuio/machine-api-provider-cloudscale:v0.2.0-dev3
           imagePullPolicy: IfNotPresent
           livenessProbe:
             httpGet: