update rbac manifests

manifests/operator-service-account-rbac.yaml

@@ -227,51 +227,3 @@ subjects:
 - kind: ServiceAccount
   name: postgres-operator
   namespace: default
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: postgres-pod
-rules:
-# Patroni needs to watch and manage endpoints
-- apiGroups:
-  - ""
-  resources:
-  - endpoints
-  verbs:
-  - create
-  - delete
-  - deletecollection
-  - get
-  - list
-  - patch
-  - update
-  - watch
-# Patroni needs to watch pods
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-  - list
-  - patch
-  - update
-  - watch
-# to let Patroni create a headless service
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - create
-# to grant privilege to run privileged pods (not needed by default)
-#- apiGroups:
-#  - extensions
-#  resources:
-#  - podsecuritypolicies
-#  resourceNames:
-#  - privileged
-#  verbs:
-#  - use

manifests/postgres-pod-rbac.yaml

@@ -10,6 +10,7 @@ kind: ClusterRole
 metadata:
   name: postgres-pod
 rules:
+# Patroni needs to watch and manage endpoints
 - apiGroups:
   - ""
   resources:
@@ -23,6 +24,7 @@ rules:
   - patch
   - update
   - watch
+# Patroni needs to watch pods
 - apiGroups:
   - ""
   resources:
@@ -33,17 +35,19 @@ rules:
   - patch
   - update
   - watch
+# to let Patroni create a headless service
 - apiGroups:
   - ""
   resources:
   - services
   verbs:
   - create
-- apiGroups:
+# to grant privilege to run privileged pods (not needed by default)
-  - extensions
+#- apiGroups:
-  resources:
+#  - extensions
-  - podsecuritypolicies
+#  resources:
-  resourceNames:
+#  - podsecuritypolicies
-  - privileged
+#  resourceNames:
-  verbs:
+#  - privileged
-  - use
+#  verbs:
+#  - use