okd/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml

apiVersion: v1
kind: Template
metadata:
  name: kube-system-service-catalog-role-bindings
objects:

- apiVersion: authorization.openshift.io/v1
  kind: Role
  metadata:
    name: extension-apiserver-authentication-reader
    namespace: ${KUBE_SYSTEM_NAMESPACE}
  rules:
  - apiGroups:
    - ""
    resourceNames:
    - extension-apiserver-authentication
    resources:
    - configmaps
    verbs:
    - get

- apiVersion: authorization.openshift.io/v1
  kind: RoleBinding
  metadata:
    name: extension-apiserver-authentication-reader-binding
    namespace: ${KUBE_SYSTEM_NAMESPACE}
  roleRef:
    name: extension-apiserver-authentication-reader
    namespace: ${KUBE_SYSTEM_NAMESPACE}
  subjects:
  - kind: ServiceAccount
    name: service-catalog-apiserver
    namespace: kube-service-catalog

parameters:
- description: Do not change this value.
  displayName: Name of the kube-system namespace
  name: KUBE_SYSTEM_NAMESPACE
  required: true
  value: kube-system