Merge pull request #54 from appuio/fix/user-rbac/create-permission

Adjust OrgMember permissions
appuio · Mar 28, 2022 · 5c46014 · 5c46014
2 parents 9d5b15a + f6db10f
commit 5c46014
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 1 deletion.
diff --git a/config/rbac/controller/role.yaml b/config/rbac/controller/role.yaml
@@ -17,6 +17,8 @@ rules:
   resources:
   - organizationmembers
   verbs:
+  - create
+  - delete
   - get
   - list
   - patch

diff --git a/config/user-rbac/organization-admin-role.yml b/config/user-rbac/organization-admin-role.yml
@@ -8,7 +8,7 @@ rules:
   verbs: ["get", "watch", "list", "patch", "update", "create"]
 - apiGroups: ["appuio.io"] 
   resources: ["organizationmembers"]
-  verbs: ["get", "watch", "list", "patch", "update", "create"]
+  verbs: ["get", "watch", "list", "patch", "update"]
 - apiGroups: ["appuio.io"]
   resources: ["teams"]
   verbs: ["get", "watch", "list", "patch", "update", "create", "delete"]

diff --git a/controllers/organization_members_controller.go b/controllers/organization_members_controller.go
@@ -34,6 +34,7 @@ type OrganizationMembersReconciler struct {
 // Needed so that we are allowed to delegate common member roles
 //+kubebuilder:rbac:groups="rbac.appuio.io",resources=organizations,verbs=get;list;watch;create;delete;patch;update
 //+kubebuilder:rbac:groups="organization.appuio.io",resources=organizations,verbs=get;list;watch;create;delete;patch;update
+//+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers,verbs=get;list;watch;create;delete;patch;update
 //+kubebuilder:rbac:groups="appuio.io",resources=teams,verbs=get;list;watch;create;delete;patch;update
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete