From e1d93953384265d5c96f0270c21166ed6ecff433 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Erik=20Inge=20Bols=C3=B8?= <erik.inge.bolso@nrk.no>
Date: Fri, 14 Jun 2019 15:59:51 +0200
Subject: [PATCH] rbac: add user-facing clusterroles (#585)

* rbac: add user-facing clusterroles
---
 docs/user.md                            |  9 +++++
 manifests/user-facing-clusterroles.yaml | 51 +++++++++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 manifests/user-facing-clusterroles.yaml

diff --git a/docs/user.md b/docs/user.md
index f33409720..4cce153aa 100644
--- a/docs/user.md
+++ b/docs/user.md
@@ -41,6 +41,15 @@ $ kubectl create -f manifests/minimal-postgres-manifest.yaml
 $ kubectl get pods -w --show-labels
 ```
 
+## Give K8S users access to create/list postgresqls
+
+```bash
+$ kubectl create -f manifests/user-facing-clusterroles.yaml
+```
+
+Creates zalando-postgres-operator:users:view, :edit and :admin clusterroles that are
+aggregated into the default roles.
+
 ## Connect to PostgreSQL
 
 With a `port-forward` on one of the database pods (e.g. the master) you can
diff --git a/manifests/user-facing-clusterroles.yaml b/manifests/user-facing-clusterroles.yaml
new file mode 100644
index 000000000..800aafdb9
--- /dev/null
+++ b/manifests/user-facing-clusterroles.yaml
@@ -0,0 +1,51 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: zalando-postgres-operator:users:admin
+rules:
+- apiGroups:
+  - acid.zalan.do
+  resources:
+  - postgresqls
+  - postgresqls/status
+  verbs:
+  - "*"
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: zalando-postgres-operator:users:edit
+rules:
+- apiGroups:
+  - acid.zalan.do
+  resources:
+  - postgresqls
+  verbs:
+  - create
+  - update
+  - patch
+  - delete
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: zalando-postgres-operator:users:view
+rules:
+- apiGroups:
+  - acid.zalan.do
+  resources:
+  - postgresqls
+  - postgresqls/status
+  verbs:
+  - get
+  - list
+  - watch
+