rancher-charts/packages/rancher-cis-benchmark/charts/templates/rbac.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: rancher-cis-benchmark
    app.kubernetes.io/instance: release-name
  name: cis-operator-clusterrole
rules:
- apiGroups:
  - "cis.cattle.io"
  resources:
  - "*"
  verbs:
  - "*"
- apiGroups:
  - ""
  resources:
  - "pods"
  - "services"
  - "configmaps"
  - "nodes"
  - "serviceaccounts"
  verbs:
  - "get"
  - "list"
  - "create"
  - "update"
  - "watch"
  - "patch"
- apiGroups:
  - "batch"
  resources:
  - "jobs"
  verbs:
  - "list"
  - "create"
  - "patch"
  - "update"
  - "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: rancher-cis-benchmark
    app.kubernetes.io/instance: release-name
  name: cis-scan-ns
rules:
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
- apiGroups:
  - "*"
  resources:
  - "podsecuritypolicies"
  verbs: 
  - "get"
  - "list"
  - "watch"
{{- end }}
- apiGroups:
  - ""
  resources:
  - "namespaces"
  - "nodes"
  - "pods"
  verbs:
  - "get"
  - "list"
  - "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cis-operator-role
  labels:
    app.kubernetes.io/name: rancher-cis-benchmark
    app.kubernetes.io/instance: release-name
  namespace: {{ template "cis.namespace" . }}
rules:
- apiGroups:
  - ""
  resources:
  - "services"
  verbs:
  - "watch"
  - "list"
  - "get"
  - "patch"
- apiGroups:
  - "batch"
  resources:
  - "jobs"
  verbs:
  - "watch"
  - "list"
  - "get"
  - "delete"
- apiGroups:
  - ""
  resources:
  - "configmaps"
  - "pods"
  - "secrets"
  verbs:
  - "*"
- apiGroups:
  - "apps"
  resources:
  - "daemonsets"
  verbs:
  - "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/name: rancher-cis-benchmark
    app.kubernetes.io/instance: release-name
  name: cis-operator-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cis-operator-clusterrole
subjects:
- kind: ServiceAccount
  name: cis-operator-serviceaccount
  namespace: {{ template "cis.namespace" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cis-scan-ns
  labels:
    app.kubernetes.io/name: rancher-cis-benchmark
    app.kubernetes.io/instance: release-name
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cis-scan-ns
subjects:
- kind: ServiceAccount
  name: cis-serviceaccount
  namespace: {{ template "cis.namespace" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/name: rancher-cis-benchmark
    app.kubernetes.io/instance: release-name
  name: cis-operator-rolebinding
  namespace: {{ template "cis.namespace" . }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cis-operator-role
subjects:
- kind: ServiceAccount
  name: cis-serviceaccount
  namespace: {{ template "cis.namespace" . }}
- kind: ServiceAccount
  name: cis-operator-serviceaccount
  namespace: {{ template "cis.namespace" . }}
(dev-v2.6-archive) Fix/issue 32301 (#1247) * cis 1.0.6 1.22 fixes * make charts (partially cherry picked from commit 0e089425ab2a79970ee0f8fcc6053a97a19b4b68) 2021-06-15 22:04:10 +00:00			`apiVersion: rbac.authorization.k8s.io/v1`
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`kind: ClusterRole`
			`metadata:`
			`labels:`
			`app.kubernetes.io/name: rancher-cis-benchmark`
			`app.kubernetes.io/instance: release-name`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`name: cis-operator-clusterrole`
			`rules:`
			`- apiGroups:`
			`- "cis.cattle.io"`
			`resources:`
			`- "*"`
			`verbs:`
			`- "*"`
			`- apiGroups:`
			`- ""`
			`resources:`
			`- "pods"`
			`- "services"`
			`- "configmaps"`
			`- "nodes"`
Add pre-hook for upgrade fix and add serviceaccounts rbac 2022-10-13 18:51:13 +00:00			`- "serviceaccounts"`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`verbs:`
			`- "get"`
			`- "list"`
			`- "create"`
			`- "update"`
			`- "watch"`
Add pre-hook for upgrade fix and add serviceaccounts rbac 2022-10-13 18:51:13 +00:00			`- "patch"`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`- apiGroups:`
			`- "batch"`
			`resources:`
			`- "jobs"`
			`verbs:`
			`- "list"`
			`- "create"`
			`- "patch"`
			`- "update"`
			`- "watch"`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`labels:`
			`app.kubernetes.io/name: rancher-cis-benchmark`
			`app.kubernetes.io/instance: release-name`
			`name: cis-scan-ns`
			`rules:`
add condition to check for PSP capability in rancher-cis-benchmark 2022-12-26 11:53:16 +00:00			`{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}`
fix permissions for cis-serviceaccount 2022-10-18 20:59:53 +00:00			`- apiGroups:`
			`- "*"`
			`resources:`
			`- "podsecuritypolicies"`
			`verbs:`
			`- "get"`
			`- "list"`
			`- "watch"`
add condition to check for PSP capability in rancher-cis-benchmark 2022-12-26 11:53:16 +00:00			`{{- end }}`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`- apiGroups:`
			`- ""`
			`resources:`
			`- "namespaces"`
			`- "nodes"`
fix permissions for cis-serviceaccount 2022-10-18 20:59:53 +00:00			`- "pods"`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`verbs:`
			`- "get"`
			`- "list"`
			`- "watch"`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`name: cis-operator-role`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`labels:`
			`app.kubernetes.io/name: rancher-cis-benchmark`
			`app.kubernetes.io/instance: release-name`
			`namespace: {{ template "cis.namespace" . }}`
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`rules:`
			`- apiGroups:`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`- ""`
			`resources:`
			`- "services"`
			`verbs:`
			`- "watch"`
			`- "list"`
			`- "get"`
			`- "patch"`
			`- apiGroups:`
			`- "batch"`
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`resources:`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`- "jobs"`
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`verbs:`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`- "watch"`
			`- "list"`
			`- "get"`
			`- "delete"`
			`- apiGroups:`
			`- ""`
			`resources:`
			`- "configmaps"`
			`- "pods"`
			`- "secrets"`
			`verbs:`
			`- "*"`
			`- apiGroups:`
			`- "apps"`
			`resources:`
			`- "daemonsets"`
			`verbs:`
			`- "*"`
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`---`
(dev-v2.6-archive) Fix/issue 32301 (#1247) * cis 1.0.6 1.22 fixes * make charts (partially cherry picked from commit 0e089425ab2a79970ee0f8fcc6053a97a19b4b68) 2021-06-15 22:04:10 +00:00			`apiVersion: rbac.authorization.k8s.io/v1`
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`kind: ClusterRoleBinding`
			`metadata:`
			`labels:`
			`app.kubernetes.io/name: rancher-cis-benchmark`
			`app.kubernetes.io/instance: release-name`
			`name: cis-operator-rolebinding`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`name: cis-operator-clusterrole`
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`subjects:`
			`- kind: ServiceAccount`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`name: cis-operator-serviceaccount`
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`namespace: {{ template "cis.namespace" . }}`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`kind: ClusterRoleBinding`
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`metadata:`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`name: cis-scan-ns`
			`labels:`
			`app.kubernetes.io/name: rancher-cis-benchmark`
			`app.kubernetes.io/instance: release-name`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: cis-scan-ns`
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`subjects:`
			`- kind: ServiceAccount`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`name: cis-serviceaccount`
			`namespace: {{ template "cis.namespace" . }}`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`labels:`
			`app.kubernetes.io/name: rancher-cis-benchmark`
			`app.kubernetes.io/instance: release-name`
			`name: cis-operator-rolebinding`
(dev-v2.6-archive) Checkout current packages from dev-v2.5-source ```bash git fetch upstream git checkout upstream/dev-v2.5-source -- packages; git reset HEAD; git checkout -- packages/README.md ``` (partially cherry picked from commit 551327b14eb2607047bc70c4851369c5174893e3) 2021-05-17 22:30:18 +00:00			`namespace: {{ template "cis.namespace" . }}`
			`roleRef:`
Add RBAC roles for cis benchmark chart 2022-10-12 18:07:16 +00:00			`apiGroup: rbac.authorization.k8s.io`
			`kind: Role`
			`name: cis-operator-role`
			`subjects:`
			`- kind: ServiceAccount`
			`name: cis-serviceaccount`
			`namespace: {{ template "cis.namespace" . }}`
Add privielges to cis-operator-serviceaccount in cis-operator namespace 2022-10-14 00:05:27 +00:00			`- kind: ServiceAccount`
			`name: cis-operator-serviceaccount`
			`namespace: {{ template "cis.namespace" . }}`