From 7f2f90022e8b07ba5c0baa2c445a47e37bf240b9 Mon Sep 17 00:00:00 2001
From: Flavio Fernandes <flaviof@redhat.com>
Date: Mon, 24 Apr 2023 21:29:01 +0000
Subject: [PATCH] rbac: ovn-kubernetes: add aggregate-to-cluster-reader
 permissions

API group "k8s.ovn.org" should be included to cluster-reader role.
That group has the following resources:
    - EgressFirewall
    - EgressIP
    - EgressQoS

Signed-off-by: Flavio Fernandes <flaviof@redhat.com>
---
 .../common/007-rbac-cluster-reader.yaml         | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml

diff --git a/bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml b/bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml
new file mode 100644
index 0000000000..e063ef0c87
--- /dev/null
+++ b/bindata/network/ovn-kubernetes/common/007-rbac-cluster-reader.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
+  name: openshift-ovn-kubernetes-cluster-reader
+rules:
+- apiGroups: ["k8s.ovn.org"]
+  resources:
+  - egressfirewalls
+  - egressips
+  - egressqoses
+  verbs:
+  - get
+  - list
+  - watch