Create custom RBAC for osac

mlorenzofr · mlorenzofr · commit a6dc4cfdce0c · 2026-03-05T16:46:24.000+01:00
Signed-off-by: Manuel Lorenzo &lt;mlorenzofr@redhat.com&gt;
diff --git a/playbooks/tasks/vmaas.yaml b/playbooks/tasks/vmaas.yaml
@@ -148,14 +148,23 @@
       delay: 5
       until: __r_create_aap_osac_sa is success
 
-    - name: "Create osac-sa ClusterRoleBinding in AAP namespace"
+    - name: "Create osac ClusterRole"
       kubernetes.core.k8s:
         state: present
-        definition: "{{ lookup('ansible.builtin.template', '../templates/aap-osac-clusterrolebinding.yaml.j2') | from_yaml }}"
-      register: __r_create_aap_osac_clusterrolebinding
+        definition: "{{ lookup('ansible.builtin.template', '../templates/aap-osac-clusterrole.yaml.j2') | from_yaml }}"
+      register: __r_create_aap_osac_clusterrole
       retries: 10
       delay: 5
-      until: __r_create_aap_osac_clusterrolebinding is success
+      until: __r_create_aap_osac_clusterrole is success
+
+    - name: "Create osac-rolebinding RoleBinding in AAP namespace"
+      kubernetes.core.k8s:
+        state: present
+        definition: "{{ lookup('ansible.builtin.template', '../templates/aap-osac-rolebinding.yaml.j2') | from_yaml }}"
+      register: __r_create_aap_osac_rolebinding
+      retries: 10
+      delay: 5
+      until: __r_create_aap_osac_rolebinding is success
 
     - name: "Create AnsibleAutomationPlatform resource"
       kubernetes.core.k8s:
diff --git a/playbooks/templates/aap-osac-clusterrole.yaml.j2 b/playbooks/templates/aap-osac-clusterrole.yaml.j2
@@ -0,0 +1,40 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: osac
+rules:
+  - apiGroups:
+    - "osac.openshift.io"
+    resources:
+    - "tenants"
+    verbs:
+    - "get"
+    - "list"
+    - "watch"
+
+  - apiGroups:
+    - "osac.openshift.io"
+    resources:
+    - "computeinstances"
+    verbs:
+    - "get"
+    - "list"
+    - "watch"
+    - "create"
+    - "update"
+    - "patch"
+    - "delete"
+
+  - apiGroups:
+    - ""
+    resources:
+    - "secrets"
+    verbs:
+    - "get"
+    - "list"
+    - "watch"
+    - "create"
+    - "update"
+    - "patch"
+    - "delete"
diff --git a/playbooks/templates/aap-osac-rolebinding.yaml.j2 b/playbooks/templates/aap-osac-rolebinding.yaml.j2
@@ -1,12 +1,13 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
-  name: osac-sa
+  name: osac-rolebinding
+  namespace: {{ aap_ns }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: osac
 subjects:
   - kind: ServiceAccount
     name: osac-sa
