diff --git a/manifests/operator-service-account-rbac.yaml b/manifests/operator-service-account-rbac.yaml index 966743032..2f0da9ea7 100644 --- a/manifests/operator-service-account-rbac.yaml +++ b/manifests/operator-service-account-rbac.yaml @@ -227,51 +227,3 @@ subjects: - kind: ServiceAccount name: postgres-operator namespace: default - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: postgres-pod -rules: -# Patroni needs to watch and manage endpoints -- apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -# Patroni needs to watch pods -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - patch - - update - - watch -# to let Patroni create a headless service -- apiGroups: - - "" - resources: - - services - verbs: - - create -# to grant privilege to run privileged pods (not needed by default) -#- apiGroups: -# - extensions -# resources: -# - podsecuritypolicies -# resourceNames: -# - privileged -# verbs: -# - use diff --git a/manifests/postgres-pod-rbac.yaml b/manifests/postgres-pod-rbac.yaml index 9536acbb7..ac5badeb8 100644 --- a/manifests/postgres-pod-rbac.yaml +++ b/manifests/postgres-pod-rbac.yaml @@ -10,6 +10,7 @@ kind: ClusterRole metadata: name: postgres-pod rules: +# Patroni needs to watch and manage endpoints - apiGroups: - "" resources: @@ -23,6 +24,7 @@ rules: - patch - update - watch +# Patroni needs to watch pods - apiGroups: - "" resources: @@ -33,17 +35,19 @@ rules: - patch - update - watch +# to let Patroni create a headless service - apiGroups: - "" resources: - services verbs: - create -- apiGroups: - - extensions - resources: - - podsecuritypolicies - resourceNames: - - privileged - verbs: - - use +# to grant privilege to run privileged pods (not needed by default) +#- apiGroups: +# - extensions +# resources: +# - podsecuritypolicies +# resourceNames: +# - privileged +# verbs: +# - use