astefanutti commented on issue #2379: URL: https://github.com/apache/camel-k/issues/2379#issuecomment-860628998
Thanks. OLM is responsible for creating the aggregated roles for API resources it installs from CRDs: https://github.com/operator-framework/olm-docs/blob/15cf01d3550e3ffc6861f9ade373081809276822/content/en/docs/Concepts/crds/operatorgroup.md#rbac I haven't double checked it, but from the understanding that I have of the following section: > A `<kind.group-version-edit>` ClusterRole is generated with the `create, update, patch, release` verbs on `<group> <kind>` with aggregation labels rbac.authorization.k8s.io/aggregate-to-edit: true` is that the generated aggregating roles do not grant permission on sub-resources. Logically, permissions on sub-resources should be granted by OLM as well. I don't see any reason to prevent operations on a sub-resource, of a resource that the user can delete. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
