RBAC Requirements

Service Binding Operator performs requests against Kubernetes API using a dedicated service account. By default the account has permissions to bind services to applications, both represented by standard Kubernetes Deployments, DaemonSets, ReplicaSets, StatefulSets and OpenShift DeploymentConfigs

Based on the spec recommendation, the operator service account is bound to an aggregated cluster role, allowing operator vendors and/or cluster admins to enable binding custom service resources. The needed permissions need be encapsulated within a ClusterRole labelled with servicebinding.io/controller: "true".

Example: Enable binding to MongoDB instances provisioned by Percona MongoDB operator:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: percona-mongodb-view
  labels:
    servicebinding.io/controller: "true"
rules:
  - apiGroups:
      - psmdb.percona.com
    resources:
      - perconaservermongodbs
      - perconaservermongodbs/status
    verbs:
      - get
      - list

This cluster role can be deployed during the installation of the backing service operator. You can add it as part of the manifests.