RBAC

The AppSSO package aggregates the following permissions into TAP’s well-known roles:

  • app-operator

    - apiGroups:
      - sso.apps.tanzu.vmware.com
    resources:
      - clientregistrations
    verbs:
      - "*"
    
  • app-viewer

    - apiGroups:
      - sso.apps.tanzu.vmware.com
    resources:
      - clientregistrations
    verbs:
      - get
      - list
      - watch
    

For the purpose of managing the life cycle of AppSSO CRDs the AppSSO operator’s ServiceAccount has a ClusterRole with the following permissions:

- apiGroups:
    - sso.apps.tanzu.vmware.com
  resources:
    - authservers
  verbs:
    - get
    - list
    - watch
- apiGroups:
    - sso.apps.tanzu.vmware.com
  resources:
    - authservers/status
  verbs:
    - patch
    - update
- apiGroups:
    - sso.apps.tanzu.vmware.com
  resources:
    - clientregistrations
  verbs:
    - get
    - list
    - watch
- apiGroups:
    - sso.apps.tanzu.vmware.com
  resources:
    - clientregistrations/status
  verbs:
    - patch
    - update
- apiGroups:
    - ""
  resources:
    - secrets
    - configmaps
    - services
    - serviceaccounts
  verbs:
    - "*"
- apiGroups:
    - apps
  resources:
    - deployments
  verbs:
    - "*"
- apiGroups:
    - rbac.authorization.k8s.io
  resources:
    - roles
    - rolebindings
  verbs:
    - "*"
- apiGroups:
    - cert-manager.io
  resources:
    - certificates
    - issuers
  verbs:
    - "*"
- apiGroups:
    - ""
  resources:
    - events
  verbs:
    - create
    - update
    - patch
- apiGroups:
    - coordination.k8s.io
  resources:
    - leases
  verbs:
    - create
    - get
    - update
check-circle-line exclamation-circle-line close-line
Scroll to top icon