diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml index dfcfdb88e..87fc98dd5 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml @@ -101,6 +101,26 @@ rules: - get - list - watch + #### Can be removed if your platform isn't Openshift + - apiGroups: [ "operator.openshift.io" ] + resources: [ "imagecontentsourcepolicies","openshiftapiservers","kubeapiservers" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "security.openshift.io" ] + resources: [ "securitycontextconstraints" ] + verbs: [ "get", "list" ] + - apiGroups: [ "config.openshift.io" ] + resources: [ "clusteroperators" ] + verbs: [ "get", "list" ] + - apiGroups: [ "machineconfiguration.openshift.io" ] + resources: [ "machineconfigs","machineconfigpools" ] + verbs: [ "get", "list" ] + - apiGroups: [ "" ] + resources: [ "pods/exec" ] + verbs: [ "create" ] + - apiGroups: [ "" ] + resources: [ "serviceaccounts","endpoints" ] + verbs: [ "list" ] + #### --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml index fbb9934b0..d1a5d673e 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml @@ -101,6 +101,26 @@ rules: - get - list - watch + #### Can be removed if your platform isn't Openshift + - apiGroups: [ "operator.openshift.io" ] + resources: [ "imagecontentsourcepolicies","openshiftapiservers","kubeapiservers" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "security.openshift.io" ] + resources: [ "securitycontextconstraints" ] + verbs: [ "get", "list" ] + - apiGroups: [ "config.openshift.io" ] + resources: [ "clusteroperators" ] + verbs: [ "get", "list" ] + - apiGroups: [ "machineconfiguration.openshift.io" ] + resources: [ "machineconfigs","machineconfigpools" ] + verbs: [ "get", "list" ] + - apiGroups: [ "" ] + resources: [ "pods/exec" ] + verbs: [ "create" ] + - apiGroups: [ "" ] + resources: [ "serviceaccounts","endpoints" ] + verbs: [ "list" ] + #### --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_ocp3x/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_ocp3x/001_kube_enforcer_config.yaml index 3f3fb9096..f9d0f37d6 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_ocp3x/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_ocp3x/001_kube_enforcer_config.yaml @@ -95,6 +95,26 @@ rules: - get - list - watch + #### Can be removed if your platform isn't Openshift + - apiGroups: [ "operator.openshift.io" ] + resources: [ "imagecontentsourcepolicies","openshiftapiservers","kubeapiservers" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "security.openshift.io" ] + resources: [ "securitycontextconstraints" ] + verbs: [ "get", "list" ] + - apiGroups: [ "config.openshift.io" ] + resources: [ "clusteroperators" ] + verbs: [ "get", "list" ] + - apiGroups: [ "machineconfiguration.openshift.io" ] + resources: [ "machineconfigs","machineconfigpools" ] + verbs: [ "get", "list" ] + - apiGroups: [ "" ] + resources: [ "pods/exec" ] + verbs: [ "create" ] + - apiGroups: [ "" ] + resources: [ "serviceaccounts","endpoints" ] + verbs: [ "list" ] + #### --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding