Cluster-scoped permissions required by the Automation assets operator

The Automation foundation assets operator (Automation assets add-on) requires the following cluster-scoped permissions:

• Manage admission webhooks: The Automation assets operator uses admission webhooks to provide immediate validation and feedback about the creation and modification of Automation assets instances. The permission to manage webhooks is required for the operator to register these actions.

  • API Groups: admissionregistration.k8s.io

  • Resources: validatingwebhookconfigurations

  • Verbs: create, delete, get, list, patch, update, watch

• Manage namespaces: When installing the Automation assets operator namespace-scoped, a label is applied to the namespace to ensure that the Automation assets webhook only validates Custom Resources in that namespace.

  • API Groups:

  • Resources: namespaces

  • Verbs: get, list, patch, update

  Tip: If you want the Automation assets catalog to be auto-initialized and include App Connect templates from an auto-created remote, *you must enablAPI Groups is empty because it's a core resource.

• List storage classes: This allows the Automation assets operator to identify and validate that the specified storage classes selected by the user exist.

  • API Groups: storage.k8s.io

  • Resources: storageclasses

  • Verbs: get, list, watch

• List cluster versions: The Automation assets operator requires access to the cluster version so it can detect what version of OpenShift the user is running and give guidance on version compatibility.

  • API Groups: config.openshift.io

  • Resources: clusterversions

  • Verbs: list, get