Role definition can cause problems for non cluster admin

[stevelipinski]

The following Role rule can cause problems with users that are not full cluster admin:

  - apiGroups: ["rbac.authorization.k8s.io", ""]
    resources: ["roles", "serviceaccounts", "rolebindings"]
    verbs: ["bind", "escalate", "impersonate", "userextras", "create", "get",
            "list", "watch", "update", "patch", "delete", "deletecollection"]

This appears to be due to the fact that serviceaccount resources are not part of the rbac.authorization.k8s.io apiGroup and vice-versa with roles and rolebindings and the v1/null apiGroup .
On an env where the user does not have full cluster-admin rights, this error can occur:

Error: roles.rbac.authorization.k8s.io "redis-enterprise-operator" is forbidden: user "testuser" (groups=["system:authenticated:oauth" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["rbac.authorization.k8s.io"], Resources:["serviceaccounts"], Verbs:["create" "get" "list" "watch" "update" "patch" "delete" "deletecollection"]}

Can the rule be split out properly into two separate rules, one for serviceaccounts and another for roles and rolebindings with the appropriate apiGroup for each?

[laurentdroin]

Hi Steve,

I am not able to replicate this issue. With a user that has the permissions for roles and rolebinding (rbac.authorization.k8s.io API group) and for serviceaccounts (core API group), I have no issue deploying the Operator with the rule described above.
Would you ming opening a Support ticket with us (Redis) and, in this ticket, give a little more information about what permissions were set on your user?
Thanks.
-- Laurent