diff --git a/deploy/concierge/rbac.yaml b/deploy/concierge/rbac.yaml index 3f881731..6370d380 100644 --- a/deploy/concierge/rbac.yaml +++ b/deploy/concierge/rbac.yaml @@ -32,7 +32,10 @@ rules: verbs: [ use ] resourceNames: [ nonroot ] - apiGroups: [ "" ] - resources: [ "users", "groups" ] + resources: [ "users", "groups", "serviceaccounts" ] + verbs: [ "impersonate" ] + - apiGroups: [ "authentication.k8s.io" ] + resources: [ "*" ] #! What we really want is userextras/* but the RBAC authorizer only supports */subresource, not resource/* verbs: [ "impersonate" ] - apiGroups: [ "" ] resources: [ nodes ]