From d0806bdb461e1ee293580fa599592f5e5a8907d9 Mon Sep 17 00:00:00 2001
From: tkdchen <cqi@redhat.com>
Date: Wed, 20 Sep 2023 14:03:45 +0800
Subject: [PATCH] Update permissions for build team members (#2381)

STONEBLD-1611

This patch also cleans up several unnecessary permissions that was
granted to some build maintainers.

Signed-off-by: Chenxiong Qi <cqi@redhat.com>
---
 .../base/rbac/build-maintainer.yaml           | 58 +++++--------------
 1 file changed, 16 insertions(+), 42 deletions(-)

diff --git a/components/build-service/base/rbac/build-maintainer.yaml b/components/build-service/base/rbac/build-maintainer.yaml
index 5184663db6f..a5b2a9ae252 100644
--- a/components/build-service/base/rbac/build-maintainer.yaml
+++ b/components/build-service/base/rbac/build-maintainer.yaml
@@ -3,61 +3,23 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: build-maintainer
 rules:
-  - apiGroups:
-      - operators.coreos.com
-    resources:
-      - installplans
-    verbs:
+  - verbs:
       - get
       - list
-      - update
       - patch
-  - verbs:
-      - patch
-      - get
+      - update
     apiGroups:
       - ''
     resources:
       - serviceaccounts
     resourceNames:
-      - pipeline # TODO: figure out how to 'gitops' this.
+      - appstudio-pipeline # TODO: figure out how to 'gitops' this.
   - verbs:
-      - create
-      - get
       - list
-      - watch
-      - delete
     apiGroups:
       - ''
     resources:
       - secrets
-  - verbs:
-      - '*' # needed till we figure out how to cleanup workspaces.
-    apiGroups:
-      - 'tekton.dev'
-    resources:
-      - 'pipelineruns'
-  - apiGroups:
-      - results.tekton.dev
-    resources:
-      - results
-      - records
-    verbs:
-      - get
-      - list
-  - apiGroups:
-    - ''
-    resources:
-    - pods/portforward
-    verbs:
-    - create
-  - apiGroups:
-      - 'apps'
-    resources:
-      - deployments
-    verbs:
-      - get
-      - patch
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -67,10 +29,22 @@ metadata:
 subjects:
   - kind: User
     apiGroup: rbac.authorization.k8s.io
-    name: sbose78
+    name: cqi
+  - kind: User
+    apiGroup: rbac.authorization.k8s.io
+    name: mkosiarc
   - kind: User
     apiGroup: rbac.authorization.k8s.io
     name: mmorhun
+  - kind: User
+    apiGroup: rbac.authorization.k8s.io
+    name: rcerven
+  - kind: User
+    apiGroup: rbac.authorization.k8s.io
+    name: susdas
+  - kind: User
+    apiGroup: rbac.authorization.k8s.io
+    name: tnevrlka
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole