ControllerRoleBindings returns the role bindings used by controllers.

ControllerRoles returns the cluster roles used by controllers.

GetBoostrapSCCAccess provides the default set of access that should be passed to GetBootstrapSecurityContextConstraints.

GetBootstrapSecurityContextConstraints returns the slice of default SecurityContextConstraints for system bootstrapping.

GetDeadClusterRoleBindings returns cluster role bindings which should no longer have any subjects.

GetDeadClusterRoles returns cluster roles which should no longer have any permissions.

NamespaceRoleBindings returns a map of namespace to slice of role bindings to create.

NamespaceRoles returns a map of namespace to slice of roles to create.

Roles.

Roles.

Roles.

Roles.

Roles.

users.

users.

groups.

groups.

RoleBindings.

Roles.

users.

Roles.

Bindings.

Roles.

RoleBindings.

Roles.

RoleBindings.

Roles.

groups.

RoleBindings.

Roles.

Roles.

groups.

RoleBindings.

Roles.

Resources and Subresources.

known namespaces.

known namespaces.

known namespaces.

users.

RoleBindings.

Roles.

users.

DescriptionAnnotation is the annotation used for attaching descriptions.

Roles.

Authorization resources.

Roles.

Roles.

RoleBindings.

Roles.

Roles.

RoleBindings.

Roles.

Roles.

Roles.

This is a special constant which maps to the service account name used by the underlying Kubernetes code, so that we can build out the extra policy required to scale OpenShift resources.

Service Account Names that are not controller related.

template instance controller watches for TemplateInstance object creation and instantiates templates as a result.

template service broker is an open service broker-compliant API implementation which serves up OpenShift templates.

Resources and Subresources.

Previous versions used this as the username for the master to connect to the kubelet This should remain in the default role bindings for the NodeAdmin role.

users.

Not granted any API permissions, just an identity for a client certificate for the API proxy to use Should not be changed without considering impact to pods that may be verifying this identity by default.

users.

RoleBindings.

Roles.

groups.

users.

users.

RoleBindings.

NodeAdmin has full access to the API provided by the kubelet.

groups.

Roles.

Roles.

Resources and Subresources.

These are valid under the "nodes" resource.

RoleBindings.

NodeReader has read access to the metrics and stats provided by the kubelet.

groups.

Resources and Subresources.

Resources and Subresources.

RoleBindings.

Roles.

RoleBindings.

Roles.

Resources and Subresources.

Roles.

Roles.

Roles.

Roles.

Roles.

Roles.

Roles.

RoleBindings.

Roles.

SecurityContextConstraintHostMountAndAnyUID is used as the name for the system default host mount + any UID scc.

SecurityContextConstraintHostNS is used as the name for the system default scc that grants access to all host ns features.

SecurityContextConstraintNonRoot is used as the name for the system default non-root scc.

SecurityContextConstraintPrivileged is used as the name for the system default privileged scc.

SecurityContextConstraintRestricted is used as the name for the system default restricted scc.

SecurityContextConstraintsAnyUID is used as the name for the system default scc that grants access to run as any uid but is still restricted to specific SELinux contexts.

SecurityContextConstraintsHostNetwork is used as the name for the system default scc that grants access to run with host networking and host ports but still allocates uid/gids/selinux from the namespace.

Legacy roles that must continue to have a plural form.

Roles.

RoleBindings.

Roles.

Resources and Subresources.

RoleBindings.

Roles.

Roles.

Roles.

users.

Roles.

groups.

Roles.

RoleBindings.

Roles.