The AppSSO package aggregates the following permissions into TAP’s well-known roles:
app-operator
- apiGroups:
- sso.apps.tanzu.vmware.com
resources:
- clientregistrations
verbs:
- "*"
app-viewer
- apiGroups:
- sso.apps.tanzu.vmware.com
resources:
- clientregistrations
verbs:
- get
- list
- watch
For the purpose of managing the life cycle of AppSSO CRDs the AppSSO operator’s ServiceAccount has a ClusterRole with the following permissions:
- apiGroups:
- sso.apps.tanzu.vmware.com
resources:
- authservers
verbs:
- get
- list
- watch
- apiGroups:
- sso.apps.tanzu.vmware.com
resources:
- authservers/status
verbs:
- patch
- update
- apiGroups:
- sso.apps.tanzu.vmware.com
resources:
- clientregistrations
verbs:
- get
- list
- watch
- apiGroups:
- sso.apps.tanzu.vmware.com
resources:
- clientregistrations/status
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- secrets
- configmaps
- services
- serviceaccounts
verbs:
- "*"
- apiGroups:
- apps
resources:
- deployments
verbs:
- "*"
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- "*"
- apiGroups:
- cert-manager.io
resources:
- certificates
- issuers
verbs:
- "*"
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
