Cluster-scoped permissions required by the Aspera HSTS operator

Aspera HSTS requires these cluster-scoped permissions:

  • Access to node resource for ascp/asperanode.
    • API Groups: ""
    • Resources: nodes
    • Verbs: get, list, watch
    Note: API Groups is empty because it's a core resource.
  • Manage admission webhooks - The HSTS operator uses admission webhooks to provide immediate validation and feedback about the creation and modification of HSTS instances. The permission to manage webhooks is required for the operator to register these actions.
    • API Groups: admissionregistration.k8s.io.
    • Resources: validatingwebhookconfigurations.
    • Verbs: create, delete, get, list, patch, update, watch.
  • Manage clusterrole/clusterrole bindings - The HSTS operator gives the HSTS instances permissions to list CustomResourceDefinitions, which are cluster-scoped objects. These permissions must be created and managed as ClusterRoles. The permission to manage ClusterRoleBindings allows the operator to identify the appropriate ClusterRole created.
    • API Groups: rbac.authorization.k8s.io.
    • Resources: clusterroles, clusterrolebindings.
    • Verbs: create, delete, get, list, patch, update, watch.
  • Manage console yaml samples - ConsoleYAMLSamples are used to provide samples for the HSTS resources in the OpenShift Container Platform web console. The permission to manage ConsoleYAMLSamples is required for the operator to register the setting up of samples.
    • API Groups: console.openshift.io.
    • Resources: consoleyamlsamples.
    • Verbs: create, delete, get, patch.
  • Manage security context constraints.
    • API Groups: security.openshift.io.
    • Resources: securitycontextconstraints.
    • Verbs: '*'.
  • Manage custom resources definitions - Required to allow the HSTS operator to give permissions to the HSTS instances to identify whether other optional dependencies were installed into the cluster.
    • API Groups: apiextensions.k8s.io.
    • Resources: customresourcedefinitions.
    • Verbs: get, list.
  • Manage monitoring dashboards.
    • API Groups: monitoringcontroller.cloud.ibm.com.
    • Resources: monitoringdashboards.
    • Verbs: create, get, list, watch.