Required cluster-scoped permissions for API Connect
API Connect requires these cluster-scoped permissions:
| API group | Resources | Methods | Permission | Usage |
|---|---|---|---|---|
| admissionregistration.k8s.io | mutatingwebhookconfigurations, validatingwebhookconfigurations | create, delete, get, list, patch, update, watch | Manage admission webhooks | The API Connect operator uses admission webhooks to provide immediate validation and feedback about the creation and modification of API Connect instances. The permission to manage webhooks is required for the operator to register these actions. |
| storage.k8s.io | storageclasses | get, list, watch | List storage classes | Allows the API Connect operator to identify and validate that the specified storage classes selected by the user exist |
| certmanager.k8s.io | clusterissuers, issuers | get, list, watch | List certificate issuers | Allows the API Connect operator to validate that the certificate issuers specified by the user exist |
| "" | secrets, persistentvolumes, namespaces, nodes, componentstatuses | get, list, watch | List deployment settings | Allows the API Connect operator to validate the configuration settings that were specified by the user |
| apps | deployments,/finalizers | update | Update applications | Required for updating the API Connect deployment configuration |
| rbac.authorization.k8s.io | clusterrolebindings, clusterroles | get, list | List clusterroles | Allows the API Connect operator to validate the clusterrole settings that were specified by the user |
| rbac.authorization.k8s.io | clusterrolebindings/finalizers, clusterroles/finalizers | update | Update clusterroles | Allows the API Connect operator to update clusterrole settings |
| config.openshift.io | clusteroperators | get | View operators | Allows the API Connect operator to query the operators in the
config.openshift.io group and determine the current version of OCP |
- An empty value ("") in the API group column indicates that the permission is a core resource.