You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by pc...@apache.org on 2023/12/13 08:29:17 UTC

(camel-k) 01/04: feat(install): Separate namespaced and descoped rbacs

This is an automated email from the ASF dual-hosted git repository.

pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git

commit fdfbb8acf2ba6b0370e9133157e9136de7abbf2b
Author: Gaelle Fournier <ga...@gmail.com>
AuthorDate: Fri Nov 10 14:35:32 2023 +0100

    feat(install): Separate namespaced and descoped rbacs
    
    Ref #3165
---
 config/manifests/kustomization.yaml                |   1 +
 .../descoped}/kustomization.yaml                   |  36 +++---
 .../operator-cluster-role-binding-events.yaml}     |   5 +-
 .../operator-cluster-role-binding-keda.yaml}       |   5 +-
 .../operator-cluster-role-binding-knative.yaml}    |   5 +-
 .../operator-cluster-role-binding-leases.yaml}     |   5 +-
 ...operator-cluster-role-binding-podmonitors.yaml} |   5 +-
 .../operator-cluster-role-binding-strimzi.yaml}    |   5 +-
 .../operator-cluster-role-binding.yaml}            |   5 +-
 .../operator-cluster-role-events.yaml}             |   2 +-
 .../operator-cluster-role-keda.yaml}               |   2 +-
 .../operator-cluster-role-knative.yaml}            |   2 +-
 .../operator-cluster-role-leases.yaml}             |   2 +-
 .../operator-cluster-role-podmonitors.yaml}        |   2 +-
 .../operator-cluster-role-strimzi.yaml}            |   2 +-
 .../operator-cluster-role.yaml}                    |   2 +-
 config/rbac/kustomization.yaml                     |  29 +++--
 config/rbac/{ => namespaced}/kustomization.yaml    |   9 +-
 .../operator-role-binding-events.yaml              |   0
 .../operator-role-binding-keda.yaml                |   0
 .../operator-role-binding-knative.yaml             |   0
 .../operator-role-binding-leases.yaml              |   0
 .../operator-role-binding-podmonitors.yaml         |   0
 .../operator-role-binding-strimzi.yaml             |   0
 .../{ => namespaced}/operator-role-binding.yaml    |   0
 .../{ => namespaced}/operator-role-events.yaml     |   0
 .../rbac/{ => namespaced}/operator-role-keda.yaml  |   0
 .../{ => namespaced}/operator-role-knative.yaml    |   0
 .../{ => namespaced}/operator-role-leases.yaml     |   0
 .../operator-role-podmonitors.yaml                 |   0
 .../{ => namespaced}/operator-role-strimzi.yaml    |   0
 config/rbac/{ => namespaced}/operator-role.yaml    |   0
 install/Makefile                                   |  10 +-
 install/setup/kustomization.yaml                   |  12 --
 pkg/install/operator.go                            | 136 ++++++++++++++-------
 35 files changed, 159 insertions(+), 123 deletions(-)

diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml
index 94f8a27f8..9a926be1b 100644
--- a/config/manifests/kustomization.yaml
+++ b/config/manifests/kustomization.yaml
@@ -27,6 +27,7 @@ resources:
 - ../samples
 - ../scorecard
 - ../rbac
+- ../rbac/namespaced
 - ../rbac/openshift
 
 patchesStrategicMerge:
diff --git a/config/manifests/kustomization.yaml b/config/rbac/descoped/kustomization.yaml
similarity index 61%
copy from config/manifests/kustomization.yaml
copy to config/rbac/descoped/kustomization.yaml
index 94f8a27f8..ade2d46ba 100644
--- a/config/manifests/kustomization.yaml
+++ b/config/rbac/descoped/kustomization.yaml
@@ -14,25 +14,25 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # ---------------------------------------------------------------------------
+
+#
+# rbac resources applicable for all kubernetes platforms - global operator
+#
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
-# Labels to add to all resources and selectors.
-commonLabels:
-  app: camel-k
-
 resources:
-- ../manager
-- ../crd
-- ../samples
-- ../scorecard
-- ../rbac
-- ../rbac/openshift
-
-patchesStrategicMerge:
-- patch-delete-user-cluster-role.yaml
-- patch-delete-pvc.yaml
-images:
-- name: docker.io/apache/camel-k
-  newName: docker.io/apache/camel-k
-  newTag: 2.2.0-SNAPSHOT
+- operator-cluster-role-events.yaml
+- operator-cluster-role-knative.yaml
+- operator-cluster-role.yaml
+- operator-cluster-role-keda.yaml
+- operator-cluster-role-leases.yaml
+- operator-cluster-role-podmonitors.yaml
+- operator-cluster-role-strimzi.yaml
+- operator-cluster-role-binding-events.yaml
+- operator-cluster-role-binding-keda.yaml
+- operator-cluster-role-binding-knative.yaml
+- operator-cluster-role-binding-leases.yaml
+- operator-cluster-role-binding-podmonitors.yaml
+- operator-cluster-role-binding-strimzi.yaml
+- operator-cluster-role-binding.yaml
diff --git a/config/rbac/operator-role-binding-events.yaml b/config/rbac/descoped/operator-cluster-role-binding-events.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-events.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-events.yaml
index 7b1d41dd5..9dd5228d2 100644
--- a/config/rbac/operator-role-binding-events.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-events.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-kind: RoleBinding
+kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: camel-k-operator-events
@@ -24,7 +24,8 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: camel-k-operator
+  namespace: placeholder
 roleRef:
-  kind: Role
+  kind: ClusterRole
   name: camel-k-operator-events
   apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-keda.yaml b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-keda.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-keda.yaml
index fd8c60256..92e154e87 100644
--- a/config/rbac/operator-role-binding-keda.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-kind: RoleBinding
+kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: camel-k-operator-keda
@@ -24,7 +24,8 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: camel-k-operator
+  namespace: placeholder
 roleRef:
-  kind: Role
+  kind: ClusterRole
   name: camel-k-operator-keda
   apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-knative.yaml b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-knative.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-knative.yaml
index 034baef7b..739b0dd06 100644
--- a/config/rbac/operator-role-binding-knative.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-kind: RoleBinding
+kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: camel-k-operator-knative
@@ -24,7 +24,8 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: camel-k-operator
+  namespace: placeholder
 roleRef:
-  kind: Role
+  kind: ClusterRole
   name: camel-k-operator-knative
   apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-leases.yaml b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-leases.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-leases.yaml
index 5bbc4efc1..35d667fd1 100644
--- a/config/rbac/operator-role-binding-leases.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-kind: RoleBinding
+kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: camel-k-operator-leases
@@ -24,7 +24,8 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: camel-k-operator
+  namespace: placeholder
 roleRef:
-  kind: Role
+  kind: ClusterRole
   name: camel-k-operator-leases
   apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-podmonitors.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml
index 26b6d9c85..bef231b07 100644
--- a/config/rbac/operator-role-binding-podmonitors.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-kind: RoleBinding
+kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: camel-k-operator-podmonitors
@@ -24,7 +24,8 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: camel-k-operator
+  namespace: placeholder
 roleRef:
-  kind: Role
+  kind: ClusterRole
   name: camel-k-operator-podmonitors
   apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml
similarity index 94%
copy from config/rbac/operator-role-binding-strimzi.yaml
copy to config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml
index 9a860c02c..fefd14352 100644
--- a/config/rbac/operator-role-binding-strimzi.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-kind: RoleBinding
+kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: camel-k-operator-strimzi
@@ -24,7 +24,8 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: camel-k-operator
+  namespace: placeholder
 roleRef:
-  kind: Role
+  kind: ClusterRole
   name: camel-k-operator-strimzi
   apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-binding.yaml b/config/rbac/descoped/operator-cluster-role-binding.yaml
similarity index 94%
copy from config/rbac/operator-role-binding.yaml
copy to config/rbac/descoped/operator-cluster-role-binding.yaml
index afbdf270f..83f227d62 100644
--- a/config/rbac/operator-role-binding.yaml
+++ b/config/rbac/descoped/operator-cluster-role-binding.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-kind: RoleBinding
+kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: camel-k-operator
@@ -24,7 +24,8 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: camel-k-operator
+  namespace: placeholder
 roleRef:
-  kind: Role
+  kind: ClusterRole
   name: camel-k-operator
   apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/operator-role-events.yaml b/config/rbac/descoped/operator-cluster-role-events.yaml
similarity index 98%
copy from config/rbac/operator-role-events.yaml
copy to config/rbac/descoped/operator-cluster-role-events.yaml
index d109b734d..1dfd24b01 100644
--- a/config/rbac/operator-role-events.yaml
+++ b/config/rbac/descoped/operator-cluster-role-events.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-kind: Role
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: camel-k-operator-events
diff --git a/config/rbac/operator-role-keda.yaml b/config/rbac/descoped/operator-cluster-role-keda.yaml
similarity index 98%
copy from config/rbac/operator-role-keda.yaml
copy to config/rbac/descoped/operator-cluster-role-keda.yaml
index 22c026c15..3b3f432eb 100644
--- a/config/rbac/operator-role-keda.yaml
+++ b/config/rbac/descoped/operator-cluster-role-keda.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-kind: Role
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: camel-k-operator-keda
diff --git a/config/rbac/operator-role-knative.yaml b/config/rbac/descoped/operator-cluster-role-knative.yaml
similarity index 98%
copy from config/rbac/operator-role-knative.yaml
copy to config/rbac/descoped/operator-cluster-role-knative.yaml
index 3cba80931..305d26b62 100644
--- a/config/rbac/operator-role-knative.yaml
+++ b/config/rbac/descoped/operator-cluster-role-knative.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-kind: Role
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: camel-k-operator-knative
diff --git a/config/rbac/operator-role-leases.yaml b/config/rbac/descoped/operator-cluster-role-leases.yaml
similarity index 98%
copy from config/rbac/operator-role-leases.yaml
copy to config/rbac/descoped/operator-cluster-role-leases.yaml
index 4223e8e2e..6ea671bd2 100644
--- a/config/rbac/operator-role-leases.yaml
+++ b/config/rbac/descoped/operator-cluster-role-leases.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-kind: Role
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: camel-k-operator-leases
diff --git a/config/rbac/operator-role-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml
similarity index 98%
copy from config/rbac/operator-role-podmonitors.yaml
copy to config/rbac/descoped/operator-cluster-role-podmonitors.yaml
index 7a3fe05c4..2578103c3 100644
--- a/config/rbac/operator-role-podmonitors.yaml
+++ b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-kind: Role
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: camel-k-operator-podmonitors
diff --git a/config/rbac/operator-role-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-strimzi.yaml
similarity index 98%
copy from config/rbac/operator-role-strimzi.yaml
copy to config/rbac/descoped/operator-cluster-role-strimzi.yaml
index ab0a91d70..9ccea139f 100644
--- a/config/rbac/operator-role-strimzi.yaml
+++ b/config/rbac/descoped/operator-cluster-role-strimzi.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-kind: Role
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: camel-k-operator-strimzi
diff --git a/config/rbac/operator-role.yaml b/config/rbac/descoped/operator-cluster-role.yaml
similarity index 99%
copy from config/rbac/operator-role.yaml
copy to config/rbac/descoped/operator-cluster-role.yaml
index 4ddc2d4c1..d7ee2fa39 100644
--- a/config/rbac/operator-role.yaml
+++ b/config/rbac/descoped/operator-cluster-role.yaml
@@ -15,7 +15,7 @@
 # limitations under the License.
 # ---------------------------------------------------------------------------
 
-kind: Role
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: camel-k-operator
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index f2600f162..5b3e03f55 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -23,23 +23,22 @@ kind: Kustomization
 
 resources:
 - user-cluster-role.yaml
-- operator-role-events.yaml
-- operator-role-knative.yaml
-- operator-role.yaml
-- operator-role-keda.yaml
-- operator-role-leases.yaml
-- operator-role-podmonitors.yaml
-- operator-role-strimzi.yaml
-- operator-role-binding-events.yaml
-- operator-role-binding-keda.yaml
-- operator-role-binding-knative.yaml
-- operator-role-binding-leases.yaml
-- operator-role-binding-local-registry.yaml
-- operator-role-binding-podmonitors.yaml
-- operator-role-binding-strimzi.yaml
-- operator-role-binding.yaml
 - operator-cluster-role-custom-resource-definitions.yaml
 - operator-cluster-role-binding-custom-resource-definitions.yaml
 - operator-cluster-role-addressable-resolver.yaml
 - operator-cluster-role-binding-addressable-resolver.yaml
 - operator-cluster-role-local-registry.yaml
+- operator-role-binding-local-registry.yaml
+
+
+transformers:
+- |-
+  apiVersion: builtin
+  kind: PatchTransformer
+  metadata:
+    name: fix-local-registry-rbac-namespace
+  patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]'
+  target:
+    group: rbac.authorization.k8s.io
+    kind: RoleBinding
+    name: camel-k-operator-local-registry
\ No newline at end of file
diff --git a/config/rbac/kustomization.yaml b/config/rbac/namespaced/kustomization.yaml
similarity index 78%
copy from config/rbac/kustomization.yaml
copy to config/rbac/namespaced/kustomization.yaml
index f2600f162..510beb4d5 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/namespaced/kustomization.yaml
@@ -16,13 +16,12 @@
 # ---------------------------------------------------------------------------
 
 #
-# rbac resources applicable for all kubernetes platforms
+# rbac resources applicable for all kubernetes platforms - namespaced operator
 #
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- user-cluster-role.yaml
 - operator-role-events.yaml
 - operator-role-knative.yaml
 - operator-role.yaml
@@ -34,12 +33,6 @@ resources:
 - operator-role-binding-keda.yaml
 - operator-role-binding-knative.yaml
 - operator-role-binding-leases.yaml
-- operator-role-binding-local-registry.yaml
 - operator-role-binding-podmonitors.yaml
 - operator-role-binding-strimzi.yaml
 - operator-role-binding.yaml
-- operator-cluster-role-custom-resource-definitions.yaml
-- operator-cluster-role-binding-custom-resource-definitions.yaml
-- operator-cluster-role-addressable-resolver.yaml
-- operator-cluster-role-binding-addressable-resolver.yaml
-- operator-cluster-role-local-registry.yaml
diff --git a/config/rbac/operator-role-binding-events.yaml b/config/rbac/namespaced/operator-role-binding-events.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-events.yaml
rename to config/rbac/namespaced/operator-role-binding-events.yaml
diff --git a/config/rbac/operator-role-binding-keda.yaml b/config/rbac/namespaced/operator-role-binding-keda.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-keda.yaml
rename to config/rbac/namespaced/operator-role-binding-keda.yaml
diff --git a/config/rbac/operator-role-binding-knative.yaml b/config/rbac/namespaced/operator-role-binding-knative.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-knative.yaml
rename to config/rbac/namespaced/operator-role-binding-knative.yaml
diff --git a/config/rbac/operator-role-binding-leases.yaml b/config/rbac/namespaced/operator-role-binding-leases.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-leases.yaml
rename to config/rbac/namespaced/operator-role-binding-leases.yaml
diff --git a/config/rbac/operator-role-binding-podmonitors.yaml b/config/rbac/namespaced/operator-role-binding-podmonitors.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-podmonitors.yaml
rename to config/rbac/namespaced/operator-role-binding-podmonitors.yaml
diff --git a/config/rbac/operator-role-binding-strimzi.yaml b/config/rbac/namespaced/operator-role-binding-strimzi.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-strimzi.yaml
rename to config/rbac/namespaced/operator-role-binding-strimzi.yaml
diff --git a/config/rbac/operator-role-binding.yaml b/config/rbac/namespaced/operator-role-binding.yaml
similarity index 100%
rename from config/rbac/operator-role-binding.yaml
rename to config/rbac/namespaced/operator-role-binding.yaml
diff --git a/config/rbac/operator-role-events.yaml b/config/rbac/namespaced/operator-role-events.yaml
similarity index 100%
rename from config/rbac/operator-role-events.yaml
rename to config/rbac/namespaced/operator-role-events.yaml
diff --git a/config/rbac/operator-role-keda.yaml b/config/rbac/namespaced/operator-role-keda.yaml
similarity index 100%
rename from config/rbac/operator-role-keda.yaml
rename to config/rbac/namespaced/operator-role-keda.yaml
diff --git a/config/rbac/operator-role-knative.yaml b/config/rbac/namespaced/operator-role-knative.yaml
similarity index 100%
rename from config/rbac/operator-role-knative.yaml
rename to config/rbac/namespaced/operator-role-knative.yaml
diff --git a/config/rbac/operator-role-leases.yaml b/config/rbac/namespaced/operator-role-leases.yaml
similarity index 100%
rename from config/rbac/operator-role-leases.yaml
rename to config/rbac/namespaced/operator-role-leases.yaml
diff --git a/config/rbac/operator-role-podmonitors.yaml b/config/rbac/namespaced/operator-role-podmonitors.yaml
similarity index 100%
rename from config/rbac/operator-role-podmonitors.yaml
rename to config/rbac/namespaced/operator-role-podmonitors.yaml
diff --git a/config/rbac/operator-role-strimzi.yaml b/config/rbac/namespaced/operator-role-strimzi.yaml
similarity index 100%
rename from config/rbac/operator-role-strimzi.yaml
rename to config/rbac/namespaced/operator-role-strimzi.yaml
diff --git a/config/rbac/operator-role.yaml b/config/rbac/namespaced/operator-role.yaml
similarity index 100%
rename from config/rbac/operator-role.yaml
rename to config/rbac/namespaced/operator-role.yaml
diff --git a/install/Makefile b/install/Makefile
index ce329c6d5..a80f5e3da 100644
--- a/install/Makefile
+++ b/install/Makefile
@@ -241,13 +241,11 @@ endif
 setup: setup-cluster
 # Set the namespace in the setup kustomization yaml
 	@$(call set-kustomize-namespace,$@)
-# If GLOBAL then add the conversion patches for all roles and rolebindings
-ifeq ($(GLOBAL),true)
-	@$(call add-remove-kind-patch,setup,add,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role)
-	@$(call add-remove-kind-patch,setup,add,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding)
+# If GLOBAL then add the versions with clusterroles and clusterrolebindings
+ifeq ($(GLOBAL), true)
+	@cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/descoped && cd - &> /dev/null;
 else
-	@$(call add-remove-kind-patch,setup,remove,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role)
-	@$(call add-remove-kind-patch,setup,remove,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding)
+	@cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/namespaced && cd - &> /dev/null;
 endif
 ifeq ($(PLATFORM), openshift)
 	@for res in $(RBAC_OS)/operator-role*; do \
diff --git a/install/setup/kustomization.yaml b/install/setup/kustomization.yaml
index 9598726ca..c10dfd653 100644
--- a/install/setup/kustomization.yaml
+++ b/install/setup/kustomization.yaml
@@ -19,15 +19,3 @@ kind: Kustomization
 
 resources:
 - ../config/rbac
-
-transformers:
-- |-
-  apiVersion: builtin
-  kind: PatchTransformer
-  metadata:
-    name: fix-local-registry-rbac-namespace
-  patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]'
-  target:
-    group: rbac.authorization.k8s.io
-    kind: RoleBinding
-    name: camel-k-operator-local-registry
diff --git a/pkg/install/operator.go b/pkg/install/operator.go
index 9daf61ee0..2db3fde3d 100644
--- a/pkg/install/operator.go
+++ b/pkg/install/operator.go
@@ -260,7 +260,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
 	}
 
 	// Install Kubernetes RBAC resources (roles and bindings)
-	if err := installKubernetesRoles(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+	if err := installKubernetesRoles(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
 		return err
 	}
 
@@ -289,7 +289,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
 		return err
 	}
 	if isKnative {
-		if err := installKnative(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+		if err := installKnative(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
 			return err
 		}
 		if err := installClusterRoleBinding(ctx, c, collection, cfg.Namespace, "camel-k-operator-bind-addressable-resolver", "/rbac/operator-cluster-role-binding-addressable-resolver.yaml"); err != nil {
@@ -301,35 +301,35 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
 		}
 	}
 
-	if err = installEvents(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+	if err = installEvents(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
 		if k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 		fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to publish Kubernetes events. Try installing as cluster-admin to allow it to generate events.")
 	}
 
-	if err = installKedaBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+	if err = installKedaBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
 		if k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 		fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to create KEDA resources. Try installing as cluster-admin.")
 	}
 
-	if err = installPodMonitors(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+	if err = installPodMonitors(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
 		if k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 		fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to create PodMonitor resources. Try installing as cluster-admin.")
 	}
 
-	if err := installStrimziBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+	if err := installStrimziBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
 		if k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 		fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to lookup strimzi kafka resources. Try installing as cluster-admin to allow the lookup of strimzi kafka resources.")
 	}
 
-	if err = installLeaseBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+	if err = installLeaseBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
 		if k8serrors.IsAlreadyExists(err) {
 			return err
 		}
@@ -491,12 +491,20 @@ func installOpenShiftRoles(ctx context.Context, c client.Client, namespace strin
 	)
 }
 
-func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
-	return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
-		"/manager/operator-service-account.yaml",
-		"/rbac/operator-role.yaml",
-		"/rbac/operator-role-binding.yaml",
-	)
+func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+	if global {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/manager/operator-service-account.yaml",
+			"/rbac/descoped/operator-cluster-role.yaml",
+			"/rbac/descoped/operator-cluster-role-binding.yaml",
+		)
+	} else {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/manager/operator-service-account.yaml",
+			"/rbac/namespaced/operator-role.yaml",
+			"/rbac/namespaced/operator-role-binding.yaml",
+		)
+	}
 }
 
 func installOperator(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
@@ -505,39 +513,74 @@ func installOperator(ctx context.Context, c client.Client, namespace string, cus
 	)
 }
 
-func installKedaBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
-	return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
-		"/rbac/operator-role-keda.yaml",
-		"/rbac/operator-role-binding-keda.yaml",
-	)
+func installKedaBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+	if global {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/descoped/operator-cluster-role-keda.yaml",
+			"/rbac/descoped/operator-cluster-role-binding-keda.yaml",
+		)
+	} else {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/namespaced/operator-role-keda.yaml",
+			"/rbac/namespaced/operator-role-binding-keda.yaml",
+		)
+	}
 }
 
-func installKnative(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
-	return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
-		"/rbac/operator-role-knative.yaml",
-		"/rbac/operator-role-binding-knative.yaml",
-	)
+func installKnative(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+	if global {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/descoped/operator-cluster-role-knative.yaml",
+			"/rbac/descoped/operator-cluster-role-binding-knative.yaml",
+		)
+	} else {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/namespaced/operator-role-knative.yaml",
+			"/rbac/namespaced/operator-role-binding-knative.yaml",
+		)
+	}
 }
 
-func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
-	return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
-		"/rbac/operator-role-events.yaml",
-		"/rbac/operator-role-binding-events.yaml",
-	)
+func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+	if global {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/descoped/operator-cluster-role-events.yaml",
+			"/rbac/descoped/operator-cluster-role-binding-events.yaml",
+		)
+	} else {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/namespaced/operator-role-events.yaml",
+			"/rbac/namespaced/operator-role-binding-events.yaml",
+		)
+	}
 }
 
-func installPodMonitors(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
-	return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
-		"/rbac/operator-role-podmonitors.yaml",
-		"/rbac/operator-role-binding-podmonitors.yaml",
-	)
+func installPodMonitors(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+	if global {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/descoped/operator-cluster-role-podmonitors.yaml",
+			"/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml",
+		)
+	} else {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/namespaced/operator-role-podmonitors.yaml",
+			"/rbac/namespaced/operator-role-binding-podmonitors.yaml",
+		)
+	}
 }
 
-func installStrimziBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
-	return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
-		"/rbac/operator-role-strimzi.yaml",
-		"/rbac/operator-role-binding-strimzi.yaml",
-	)
+func installStrimziBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+	if global {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/descoped/operator-cluster-role-strimzi.yaml",
+			"/rbac/descoped/operator-cluster-role-binding-strimzi.yaml",
+		)
+	} else {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/namespaced/operator-role-strimzi.yaml",
+			"/rbac/namespaced/operator-role-binding-strimzi.yaml",
+		)
+	}
 }
 
 func installMonitoringResources(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
@@ -547,11 +590,18 @@ func installMonitoringResources(ctx context.Context, c client.Client, namespace
 	)
 }
 
-func installLeaseBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
-	return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
-		"/rbac/operator-role-leases.yaml",
-		"/rbac/operator-role-binding-leases.yaml",
-	)
+func installLeaseBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+	if global {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/descoped/operator-cluster-role-leases.yaml",
+			"/rbac/descoped/operator-cluster-role-binding-leases.yaml",
+		)
+	} else {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/namespaced/operator-role-leases.yaml",
+			"/rbac/namespaced/operator-role-binding-leases.yaml",
+		)
+	}
 }
 
 // NewPlatform creates a new IntegrationPlatform instance.