From b0018b6ecfdc110d58fe4917659a5f45658ecb13 Mon Sep 17 00:00:00 2001
From: Felix Kunde <felix-kunde@gmx.de>
Date: Tue, 18 Feb 2020 17:31:31 +0100
Subject: [PATCH] operator RBAC needs podsecuritypolicy to grant it to
 postgres-pod

---
 .../templates/clusterrole.yaml                | 27 ++++++++++++-------
 manifests/operator-service-account-rbac.yaml  | 27 ++++++++++++-------
 2 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/charts/postgres-operator/templates/clusterrole.yaml b/charts/postgres-operator/templates/clusterrole.yaml
index 1d9ce70c2..9a4165797 100644
--- a/charts/postgres-operator/templates/clusterrole.yaml
+++ b/charts/postgres-operator/templates/clusterrole.yaml
@@ -134,6 +134,18 @@ rules:
   - get
   - list
   - patch
+# to CRUD cron jobs for logical backups
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
 # to get namespaces operator resources can run in
 - apiGroups:
   - ""
@@ -166,16 +178,13 @@ rules:
   verbs:
   - get
   - create
-# to CRUD cron jobs for logical backups
+# to grant privilege to run privileged pods
 - apiGroups:
-  - batch
+  - extensions
   resources:
-  - cronjobs
+  - podsecuritypolicies
+  resourceNames:
+  - privileged
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
+  - use
 {{ end }}
diff --git a/manifests/operator-service-account-rbac.yaml b/manifests/operator-service-account-rbac.yaml
index 802411623..80fcd89ef 100644
--- a/manifests/operator-service-account-rbac.yaml
+++ b/manifests/operator-service-account-rbac.yaml
@@ -135,6 +135,18 @@ rules:
   - get
   - list
   - patch
+# to CRUD cron jobs for logical backups
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
 # to get namespaces operator resources can run in
 - apiGroups:
   - ""
@@ -167,18 +179,15 @@ rules:
   verbs:
   - get
   - create
-# to CRUD cron jobs for logical backups
+# to grant privilege to run privileged pods
 - apiGroups:
-  - batch
+  - extensions
   resources:
-  - cronjobs
+  - podsecuritypolicies
+  resourceNames:
+  - privileged
   verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
+  - use
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1