Cluster-scoped permissions required by the Aspera HSTS operator
Aspera HSTS requires these cluster-scoped permissions:
Tip: To view all the columns in the table, you may need to minimize the table of contents or scroll to the end.
| API group | Resources | Methods | Permission | Usage |
|---|---|---|---|---|
| "" | nodes | get, list, watch | Access to node resource for ascp/asperanode | |
| admissionregistration.k8s.io | validatingwebhookconfigurations | delete, get, list, patch, update, watch | Manage admission webhooks | The HSTS operator uses admission webhooks to provide immediate validation and feedback about the creation and modification of HSTS instances. The permission to manage webhooks is required for the operator to register these actions. |
| rbac.authorization.k8s.io | clusterroles, clusterrolebindings | create, delete, get, list, patch, update, watch | Manage clusterrole/clusterrole bindings | The HSTS operator gives the HSTS instances permissions to list
CustomResourceDefinitions, which are cluster-scoped objects. These permissions must
be created and managed as ClusterRoles. The permission to manage
ClusterRoleBindings enables the operator to identify the appropriate
ClusterRole that is created. |
| console.openshift.io | consoleyamlsamples | create, delete, get, patch | Manage console yaml samples | ConsoleYAMLSamples are used to provide samples for the HSTS resources in the OpenShift Container Platform web console. The permission to manage ConsoleYAMLSamples is required for the operator to register the setting up of samples. |
| security.openshift.io | securitycontextconstraints | '*' |
Manage security context constraints | |
| apiextensions.k8s.io | customresourcedefinitions | get, list | Manage custom resources definitions | With this permission, the HSTS operator can allow HSTS instances to identify whether other optional dependencies were installed in the OpenShift cluster. |
| monitoringcontroller.cloud.ibm.com | monitoringdashboards | create, get, list, watch | Manage monitoring dashboards |
- An empty value ("") in the API group column indicates that the permission is a core resource.