From a44da934e6ca5393fc72727fb6a2d6f731a12f4a Mon Sep 17 00:00:00 2001
From: Sergey Dudoladov <sergey.dudoladov@zalando.de>
Date: Tue, 2 Apr 2019 15:15:42 +0200
Subject: [PATCH] Update RBAC

---
 docs/administrator.md                        |  2 ++
 manifests/operator-service-account-rbac.yaml | 11 ++++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/docs/administrator.md b/docs/administrator.md
index 8a53e7cb1..76db1675d 100644
--- a/docs/administrator.md
+++ b/docs/administrator.md
@@ -351,3 +351,5 @@ The operator can manage k8s cron jobs to do periodic logical backups of all PG c
 2. Due to the [limitation of Kubernetes cron jobs](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#cron-job-limitations) it is highly advisable to set up additional monitoring for this feature; such monitoring is outside of the scope of operator responsibilities. 
 
 3. The operator does not remove old backups.
+
+For that feature to work, your RBAC policy must enable operations on the `cronjobs` resource from the `batch` API group for the operator service account.
\ No newline at end of file
diff --git a/manifests/operator-service-account-rbac.yaml b/manifests/operator-service-account-rbac.yaml
index 7bd539ac5..c070f4064 100644
--- a/manifests/operator-service-account-rbac.yaml
+++ b/manifests/operator-service-account-rbac.yaml
@@ -139,7 +139,16 @@ rules:
   - bind
   resourceNames: 
   - zalando-postgres-operator
-
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs # enables logical backups
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding