Required cluster-scoped permissions for API Connect

API Connect requires these cluster-scoped permissions:

  • Manage admission webhooks - The API Connect operator uses admission webhooks to provide immediate validation and feedback about the creation and modification of API Connect instances. The permission to manage webhooks is required for the operator to register these actions.
    • API Groups: admissionregistration.k8s.io
    • Resources: mutatingwebhookconfigurations, validatingwebhookconfigurations
    • Verbs: create, delete, get, list, patch, update, watch
  • List storage classes - Allows the API Connect operator to identify and validate that the specified storage classes selected by the user exist.
    • API Groups: storage.k8s.io
    • Resources: storageclasses
    • Verbs: get, list, watch
  • List certificate issuers - Allows the API Connect operator to validate that the certificate issuers specified by the user exist.
    • API Groups: certmanager.k8s.io
    • Resources: clusterissuers, issuers
    • Verbs: get, list, watch
  • List deployment settings - Allows the API Connect operator to validate the configuration settings that were specified by the user.
    • API Groups: ""
    • Resources: secrets, persistentvolumes, namespaces, nodes, componentstatuses
    • Verbs: get, list, watch
  • Update applications - Required for updating the API Connect deployment configuration.
    • API Groups: apps
    • Resources: deployments/finalizers
    • Verbs: update
  • List clusterroles - Allows the API Connect operator to validate the clusterrole settings that were specified by the user.
    • API Groups: rbac.authorization.k8s.io
    • Resources: clusterrolebindings, clusterroles
    • Verbs: get, list
  • Update clusterroles - Allows the API Connect operator to update clusterrole settings.
    • API Groups: rbac.authorization.k8s.io
    • Resources: clusterrolebindings/finalizers, clusterroles/finalizers
    • Verbs: update
  • View operators - Allows the API Connect operator to query the operators in the config.openshift.io group and determine the current version of OCP.
    • API Groups: config.openshift.io
    • Resources: clusteroperators
    • Verbs: get