The Application Single Sign-On (commonly called AppSSO) package aggregates the following permissions into Tanzu Application Platform’s well-known roles. For more information, see Role descriptions for Tanzu Application Platform.
apiGroups:
- sso.apps.tanzu.vmware.com
resources:
- clientregistrations
- workloadregistrations
verbs:
- '*'
apiGroups:
- sso.apps.tanzu.vmware.com
resources:
- clientregistrations
- workloadregistrations
verbs:
- get
- list
- watch
apiGroups:
- sso.apps.tanzu.vmware.com
resources:
- clientregistrations
- workloadregistrations
verbs:
- get
- list
- watch
apiGroups:
- sso.apps.tanzu.vmware.com
resources:
- authservers
- clusterunsafetestlogins
- clusterworkloadregistrationclasses
verbs:
- '*'
To manage the life cycle of AppSSO’s APIs, the AppSSO controller’s ServiceAccount
has a ClusterRole
with the following permissions:
- apiGroups:
- sso.apps.tanzu.vmware.com
resources:
- authservers
- clientregistrations
- clusterunsafetestlogins
- clusterworkloadregistrationclasses
- workloadregistrations
verbs:
- '*'
- apiGroups:
- sso.apps.tanzu.vmware.com
resources:
- authservers/status
- clientregistrations/status
- clusterunsafetestlogins/status
- clusterworkloadregistrationclasses/status
- workloadregistrations/status
verbs:
- patch
- update
- apiGroups:
- sso.apps.tanzu.vmware.com
resources:
- authservers/finalizers
- clientregistrations/finalizers
- clusterunsafetestlogins/finalizers
- clusterworkloadregistrationclasses/finalizers
- workloadregistrations/finalizers
verbs:
- '*'
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- secrets
- configmaps
- services
- serviceaccounts
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- '*'
- apiGroups:
- cert-manager.io
resources:
- certificates
- issuers
verbs:
- '*'
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- '*'
- apiGroups:
- servicebinding.io
resources:
- servicebindings
verbs:
- '*'
- apiGroups:
- services.apps.tanzu.vmware.com
resources:
- clusterinstanceclasses
verbs:
- '*'
- apiGroups:
- services.apps.tanzu.vmware.com
resources:
- clusterinstanceclasses
verbs:
- '*'
- apiGroups:
- apiextensions.crossplane.io
resources:
- compositions
verbs:
- '*'
AppSSO also installs OpenShift specific RBAC and resources. For more information, see Application Single Sign-On for OpenShift clusters.