[release-4.1] adjust the authorization rules for workspace roles (#6331)

adjust the authorization rules for workspace roles

Signed-off-by: hongming <coder.scala@gmail.com>
Co-authored-by: hongming <coder.scala@gmail.com>

config/ks-core/templates/builtinroles.yaml

@@ -173,6 +173,8 @@ role:
         iam.kubesphere.io/scope: "workspace"
     templateNames:
       - workspace-view-workspace-settings
+      - workspace-view-members
+      - workspace-view-roles
   apiVersion: iam.kubesphere.io/v1beta1
   kind: WorkspaceRole
   metadata:
@@ -181,16 +183,7 @@ role:
       kubesphere.io/description: '{"zh": "查看企业空间设置。", "en": "View workspace settings."}'
       iam.kubesphere.io/auto-aggregate: "true"
     name: regular
-  rules:
-    - apiGroups:
-        - '*'
-      resources:
-        - workspaces
-        - workspacemembers
-      verbs:
-        - get
-        - list
-        - watch
+  rules: []
 
 ---
 apiVersion: iam.kubesphere.io/v1beta1
@@ -208,6 +201,9 @@ role:
     templateNames:
       - workspace-create-projects
       - workspace-view-workspace-settings
+      - workspace-view-members
+      - workspace-view-roles
+      - workspace-view-app-repos
   apiVersion: iam.kubesphere.io/v1beta1
   kind: WorkspaceRole
   metadata:

config/ks-core/templates/roletemplates.yaml

@@ -1103,6 +1103,8 @@ metadata:
     iam.kubesphere.io/category: workspace-access-control
     iam.kubesphere.io/scope: "workspace"
     iam.kubesphere.io/aggregate-to-viewer: ""
+    iam.kubesphere.io/aggregate-to-self-provisioner: ""
+    iam.kubesphere.io/aggregate-to-regular: ""
     kubesphere.io/managed: 'true'
   name: workspace-view-members
 spec:
@@ -1168,6 +1170,8 @@ metadata:
     iam.kubesphere.io/category: workspace-access-control
     iam.kubesphere.io/scope: "workspace"
     iam.kubesphere.io/aggregate-to-viewer: ""
+    iam.kubesphere.io/aggregate-to-regular: ""
+    iam.kubesphere.io/aggregate-to-self-provisioner: ""
     kubesphere.io/managed: 'true'
   name: workspace-view-roles
 spec:
@@ -1788,6 +1792,7 @@ metadata:
     iam.kubesphere.io/category: workspace-app
     iam.kubesphere.io/scope: workspace
     kubesphere.io/managed: "true"
+    iam.kubesphere.io/aggregate-to-self-provisioner: ""
     iam.kubesphere.io/aggregate-to-viewer: ""
   name: workspace-view-app-repos
 spec:
@@ -1818,7 +1823,6 @@ metadata:
     iam.kubesphere.io/category: workspace-app
     iam.kubesphere.io/scope: workspace
     kubesphere.io/managed: "true"
-    iam.kubesphere.io/aggregate-to-self-provisioner: ""
     iam.kubesphere.io/aggregate-to-admin: ""
   name: workspace-manage-app-repos
 spec:
@@ -1943,7 +1947,6 @@ metadata:
     iam.kubesphere.io/category: workspace-app
     iam.kubesphere.io/scope: workspace
     kubesphere.io/managed: "true"
-    iam.kubesphere.io/aggregate-to-self-provisioner: ""
     iam.kubesphere.io/aggregate-to-admin: ""
   name: workspace-manage-app-templates
 spec: