From 6ab17bdc3c660e704ce7319a21a517f38907a541 Mon Sep 17 00:00:00 2001
From: Jon <jonathon.lockwood@networkedweb.com>
Date: Sat, 4 Nov 2023 18:26:25 +0930
Subject: [PATCH] fix(rbac): authorization:namespace:owner ns owner not to
 remove cluster resources

!6
---
 templates/kubernetes-manifest-rbac.yaml.j2 | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/templates/kubernetes-manifest-rbac.yaml.j2 b/templates/kubernetes-manifest-rbac.yaml.j2
index 7f2cdca..162d984 100644
--- a/templates/kubernetes-manifest-rbac.yaml.j2
+++ b/templates/kubernetes-manifest-rbac.yaml.j2
@@ -90,16 +90,14 @@ metadata:
     app.kubernetes.io/version: ''
   name: authorization:namespace:owner
 rules:
-  - apiGroups: # Read-only access to resrouces
+  - apiGroups: # Read-Write access to resrouces
       - "*"
     resources:
-      - awx
       - cronjobs
       - daemonset
       - deployments
       - helmcharts
       - helmchartconfigs
-      - ingress
       - jobs
       - pods
       - pvc
@@ -109,7 +107,6 @@ rules:
       - serviceaccount
       - services
       - statefuleset
-      - storageclasses
       - configmap
     verbs:
       - create
@@ -117,6 +114,23 @@ rules:
       - list
       - watch
       - delete
+  - apiGroups: # Read-Remove access
+      - "*"
+    resources:
+      - ingress
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+  - apiGroups: # Read access
+      - "*"
+    resources:
+      - storageclasses
+    verbs:
+      - get
+      - list
+      - watch
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1