From e5822f4f528c2c00db93eb8199212ca0b44847cd Mon Sep 17 00:00:00 2001
From: Fabian Fischer <glrf@users.noreply.github.com>
Date: Thu, 27 Jan 2022 15:19:22 +0100
Subject: [PATCH] Add missing permissions to the apiserver role

---
 apiserver/organization/members.go      |  2 +
 apiserver/organization/rolebindings.go |  6 +++
 config/rbac/role.yaml                  | 52 ++++++++++++++++++++++++++
 3 files changed, 60 insertions(+)

diff --git a/apiserver/organization/members.go b/apiserver/organization/members.go
index 371bcbc3..8fb6a60e 100644
--- a/apiserver/organization/members.go
+++ b/apiserver/organization/members.go
@@ -7,6 +7,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+// +kubebuilder:rbac:groups="appuio.io",resources=organizationmembers,verbs=get;list;watch;create;delete;patch;update;edit
+
 // memberProvider is an abstraction for interacting with the OrganizationMembers Object
 //go:generate go run github.com/golang/mock/mockgen -source=$GOFILE -destination=./mock/$GOFILE
 type memberProvider interface {
diff --git a/apiserver/organization/rolebindings.go b/apiserver/organization/rolebindings.go
index 800acb68..87fa09ef 100644
--- a/apiserver/organization/rolebindings.go
+++ b/apiserver/organization/rolebindings.go
@@ -11,6 +11,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+// +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;delete;patch;update;edit
+
+// Needed so that we are allowed to delegate the default clusterroles
+// +kubebuilder:rbac:groups="rbac.appuio.io",resources=organizations,verbs=get;list;watch;create;delete;patch;update;edit
+// +kubebuilder:rbac:groups="organization.appuio.io",resources=organizations,verbs=get;list;watch;create;delete;patch;update;edit
+
 //go:generate go run github.com/golang/mock/mockgen -source=$GOFILE -destination=./mock/$GOFILE
 type roleBindingCreator interface {
 	CreateRoleBindings(ctx context.Context, namespace string) error
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 03a2a80a..f07fc1e8 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -36,6 +36,19 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - appuio.io
+  resources:
+  - organizationmembers
+  verbs:
+  - create
+  - delete
+  - edit
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:
@@ -54,3 +67,42 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - organization.appuio.io
+  resources:
+  - organizations
+  verbs:
+  - create
+  - delete
+  - edit
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rbac.appuio.io
+  resources:
+  - organizations
+  verbs:
+  - create
+  - delete
+  - edit
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - create
+  - delete
+  - edit
+  - get
+  - list
+  - patch
+  - update
+  - watch