RBAC for AppSSO

The Application Single Sign-On (commonly called AppSSO) package aggregates the following permissions into Tanzu Application Platform’s well-known roles. For more information, see Role descriptions for Tanzu Application Platform.

User aggregated rules

app-operator

apiGroups:
  - sso.apps.tanzu.vmware.com
resources:
  - clientregistrations
  - workloadregistrations
verbs:
  - '*'

app-editor

apiGroups:
  - sso.apps.tanzu.vmware.com
resources:
  - clientregistrations
  - workloadregistrations
verbs:
  - get
  - list
  - watch

app-viewer

apiGroups:
  - sso.apps.tanzu.vmware.com
resources:
  - clientregistrations
  - workloadregistrations
verbs:
  - get
  - list
  - watch

service-operator

apiGroups:
  - sso.apps.tanzu.vmware.com
resources:
  - authservers
  - clusterunsafetestlogins
  - clusterworkloadregistrationclasses
verbs:
  - '*'

Controller

To manage the life cycle of AppSSO’s APIs, the AppSSO controller’s ServiceAccount has a ClusterRole with the following permissions:

- apiGroups:
    - sso.apps.tanzu.vmware.com
  resources:
    - authservers
    - clientregistrations
    - clusterunsafetestlogins
    - clusterworkloadregistrationclasses
    - workloadregistrations
  verbs:
    - '*'
- apiGroups:
    - sso.apps.tanzu.vmware.com
  resources:
    - authservers/status
    - clientregistrations/status
    - clusterunsafetestlogins/status
    - clusterworkloadregistrationclasses/status
    - workloadregistrations/status
  verbs:
    - patch
    - update
- apiGroups:
    - sso.apps.tanzu.vmware.com
  resources:
    - authservers/finalizers
    - clientregistrations/finalizers
    - clusterunsafetestlogins/finalizers
    - clusterworkloadregistrationclasses/finalizers
    - workloadregistrations/finalizers
  verbs:
    - '*'
- apiGroups:
    - ""
  resources:
    - events
  verbs:
    - create
    - update
    - patch
- apiGroups:
    - coordination.k8s.io
  resources:
    - leases
  verbs:
    - create
    - get
    - update
- apiGroups:
    - ""
  resources:
    - secrets
    - configmaps
    - services
    - serviceaccounts
  verbs:
    - '*'
- apiGroups:
    - apps
  resources:
    - deployments
  verbs:
    - '*'
- apiGroups:
    - rbac.authorization.k8s.io
  resources:
    - roles
    - rolebindings
  verbs:
    - '*'
- apiGroups:
    - cert-manager.io
  resources:
    - certificates
    - issuers
  verbs:
    - '*'
- apiGroups:
    - cert-manager.io
  resources:
    - clusterissuers
  verbs:
    - get
    - list
    - watch
- apiGroups:
    - networking.k8s.io
  resources:
    - ingresses
  verbs:
    - '*'
- apiGroups:
    - servicebinding.io
  resources:
    - servicebindings
  verbs:
    - '*'
- apiGroups:
    - services.apps.tanzu.vmware.com
  resources:
    - clusterinstanceclasses
  verbs:
    - '*'
- apiGroups:
    - services.apps.tanzu.vmware.com
  resources:
    - clusterinstanceclasses
  verbs:
    - '*'
- apiGroups:
    - apiextensions.crossplane.io
  resources:
    - compositions
  verbs:
    - '*'

AppSSO also installs OpenShift specific RBAC and resources. For more information, see Application Single Sign-On for OpenShift clusters.

check-circle-line exclamation-circle-line close-line
Scroll to top icon