Permissions (Infrastructure Automation)
The following content shows the permissions and cluster permissions that are required by the Infrastructure Automation operators. <!-- Author's note: from https://github.ibm.com/katamari/cicd-snapshot-metadata/blob/ia-release-4.9/snapshot/4.9.0-202503101849/release-candidate/rbac/rbac-permissions-4.9.0-202503101849.yaml->
ibm-infrastructure-automation-operator:
clusterPermissions:
- rules:
- apiGroups:
- ''
resources:
- configmaps
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- ''
resources:
- pods
verbs:
- delete
- deletecollection
- get
- list
- apiGroups:
- operator.ibm.com
resources:
- namespacescopes
verbs:
- delete
- deletecollection
- get
- list
- apiGroups:
- operators.coreos.com
resources:
- catalogsources
verbs:
- get
- apiGroups:
- operators.coreos.com
resources:
- subscriptions
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- packages.operators.coreos.com
resources:
- packagemanifests
verbs:
- get
- list
- watch
serviceAccountName: ibm-infrastructure-automation-operator-controller-manager
permissions:
- rules:
- apiGroups:
- ''
resources:
- configmaps
- persistentvolumeclaims
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ''
resources:
- serviceaccounts
- services
- services/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ''
resources:
- secrets
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- aiops.ibm.com
resources:
- iaconfigs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- aiops.ibm.com
resources:
- iaconfigs/finalizers
verbs:
- update
- apiGroups:
- aiops.ibm.com
resources:
- iaconfigs/status
verbs:
- get
- patch
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- base.automation.ibm.com
resources:
- automationbases
- cartridgerequirements
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- core.automation.ibm.com
resources:
- automationuiconfigs
- cartridges
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.ibm.com
resources:
- commonservices
- operandbindinfos
- operandconfigs
- operandregistries
- operandrequests
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operators.coreos.com
resources:
- catalogsources
- clusterserviceversions
- subscriptions
- operatorgroups
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- zen.cpd.ibm.com
resources:
- zenservices
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- cert-manager.io
resources:
- issuers
- certificates
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions
resources:
- networkpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
serviceAccountName: ibm-infrastructure-automation-operator-controller-manager
ibm-management-cam-install:
clusterPermissions:
- rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
verbs:
- '*'
- apiGroups:
- certmanager.k8s.io
resources:
- clusterissuers
verbs:
- use
- apiGroups:
- certmanager.k8s.io
resources:
- issuers
verbs:
- use
- get
- create
- delete
- patch
- list
- apiGroups:
- ibmcpcs.ibm.com
resources:
- secretshares
verbs:
- use
- get
- create
- delete
- patch
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- '*'
- apiGroups:
- extensions
resourceNames:
- cam-services-psp
resources:
- podsecuritypolicies
verbs:
- '*'
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- get
- delete
- create
- watch
- list
- apiGroups:
- route.openshift.io
resources:
- routes
- routes/custom-host
verbs:
- '*'
- apiGroups:
- foundation.ibm.com
resources:
- navconfigurations
verbs:
- '*'
- apiGroups:
- operator.ibm.com
resources:
- operandrequests
verbs:
- '*'
serviceAccountName: cam-install-operator-controller-manager
permissions:
- rules:
- apiGroups:
- ''
resources:
- services
- services/finalizers
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- serviceaccounts
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- apps
resourceNames:
- cam-install-operator-controller-manager
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- ''
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- replicasets
- deployments
verbs:
- get
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- cam.management.ibm.com
resources:
- manageservices
- manageservices/finalizers
- manageservices/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- certmanager.k8s.io
- cert-manager.io
resources:
- certificates
- issuers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- NetworkPolicy
- ingresses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- oidc.security.ibm.com
resources:
- clients
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- zen.cpd.ibm.com
resources:
- zenextensions
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
serviceAccountName: cam-install-operator-controller-manager
ibm-management-im-install:
clusterPermissions:
- rules:
- apiGroups:
- foundation.ibm.com
resources:
- multicluster-hub-nav
- navconfigurations
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- infra.management.ibm.com
resources:
- connections
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resourceNames:
- ibm-infra-management-install-operator-connection
- ibm-infra-management-install-operator-navigation
resources:
- clusterrole
verbs:
- get
- list
- patch
- update
serviceAccountName: ibm-infra-management-install-operator
permissions:
- rules:
- apiGroups:
- ''
resources:
- configmaps
- events
- persistentvolumeclaims
- pods
- pods/finalizers
- secrets
- serviceaccounts
- services
- services/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ''
resources:
- pods/log
verbs:
- get
- apiGroups:
- apps
resources:
- deployments
- deployments/scale
- replicasets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resourceNames:
- ibm-infra-management-application
- ibm-infra-management-install-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- cert-manager.io
resources:
- certificates
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- list
- update
- apiGroups:
- extensions
resources:
- deployments
- deployments/scale
- networkpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ibmevents.ibm.com
resources:
- kafkas
- kafkatopics
- kafkausers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- infra.management.ibm.com
resources:
- iminstalls
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- infra.management.ibm.com
resources:
- iminstalls/finalizers
verbs:
- update
- apiGroups:
- infra.management.ibm.com
resources:
- iminstalls/status
verbs:
- get
- patch
- update
- apiGroups:
- manageiq.org
resources:
- manageiqs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- manageiq.org
resources:
- manageiqs/finalizers
verbs:
- update
- apiGroups:
- manageiq.org
resources:
- manageiqs/status
verbs:
- get
- patch
- update
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- create
- get
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- oidc.security.ibm.com
resources:
- clients
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- operator.ibm.com
resources:
- operandrequests
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- route.openshift.io
resources:
- routes
- routes/custom-host
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
serviceAccountName: ibm-infra-management-install-operator