andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/kongmesh/kuma/0.8.101/templates/cp-rbac.yaml

217 lines
4.0 KiB
YAML
Raw Normal View History

kongmesh
2022-01-31 13:35:57 +00:00
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}
labels:
{{- include "kuma.labels" . | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kuma.name" . }}-control-plane
labels:
{{- include "kuma.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- namespaces
- pods
- configmaps
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- create
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- kuma.io
resources:
- dataplanes
- dataplaneinsights
- meshes
- zones
- zoneinsights
- zoneingresses
- zoneingressinsights
- meshinsights
- serviceinsights
- proxytemplates
- ratelimits
- trafficpermissions
- trafficroutes
- timeouts
- retries
- circuitbreakers
- virtualoutbounds
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- kuma.io
resources:
- externalservices
- faultinjections
- healthchecks
- trafficlogs
- traffictraces
verbs:
- get
- list
- watch
{{- if eq .Values.controlPlane.mode "zone" }}
- create
- update
- patch
- delete
{{- end }}
{{- if .Values.cni.enabled }}
- apiGroups:
- k8s.cni.cncf.io
resources:
- network-attachment-definitions
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
{{- end }}
- apiGroups:
- ""
resources:
- pods/finalizers
verbs:
- "*"
- apiGroups:
- kuma.io
resources:
- meshes/finalizers
verbs:
- "*"
- apiGroups:
- kuma.io
resources:
- dataplanes/finalizers
verbs:
- "*"
# validate k8s token before issuing mTLS cert
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kuma.name" . }}-control-plane
labels:
{{- include "kuma.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "kuma.name" . }}-control-plane
subjects:
- kind: ServiceAccount
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}
labels:
{{- include "kuma.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "kuma.name" . }}-control-plane
subjects:
- kind: ServiceAccount
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}