Fix *.user.openshift.io RBAC (#86)

Was not noticed because usage profiles require elevated permissions.

Author: bastjan

config/rbac/role.yaml

@@ -80,31 +80,31 @@ rules:
   - patch
   - update
 - apiGroups:
-  - group.openshift.io
+  - rbac.authorization.k8s.io
   resources:
-  - users
+  - clusterrolebindings
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
-  - clusterrolebindings
+  - rolebindings
   verbs:
+  - create
   - get
   - list
+  - patch
+  - update
   - watch
 - apiGroups:
-  - rbac.authorization.k8s.io
+  - user.openshift.io
   resources:
-  - rolebindings
+  - groups
   verbs:
   - create
+  - delete
   - get
   - list
   - patch

controllers/groupsync_controller.go

@@ -40,7 +40,7 @@ const OrganizationMembersManifestName = "members"
 
 const UpstreamFinalizerPrefix = "agent.appuio.io/group-zone-"
 
-//+kubebuilder:rbac:groups=group.openshift.io,resources=users,verbs=get;list;watch;update;patch;create;delete
+//+kubebuilder:rbac:groups=user.openshift.io,resources=groups,verbs=get;list;watch;update;patch;create;delete
 
 // Reconcile syncs the Group with the upstream OrganizationMembers or Team resource from the foreign (Control-API) cluster.
 func (r *GroupSyncReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {