andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/komodor/k8s-watcher/templates/clusterrole.yaml

329 lines
6.7 KiB
YAML
Raw Normal View History

Make charts
2022-07-17 12:15:02 +00:00
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "k8s-watcher.serviceAccountName" . }}
{{- if hasKey .Values "namespace" }}
namespace: {{ .Values.namespace }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
{{- if .Values.watcher.resources.event }}
- events
{{- end }}
{{- if .Values.watcher.resources.pod }}
- pods
{{- end }}
{{- if .Values.watcher.resources.replicationController }}
- replicationcontrollers
{{- end }}
{{- if .Values.watcher.resources.service }}
- services
{{- end }}
{{- if .Values.watcher.resources.namespace }}
- namespaces
{{- end }}
{{- if .Values.watcher.resources.configMap }}
- configmaps
{{- end }}
{{- if .Values.watcher.resources.node }}
- nodes
{{- end }}
{{- if .Values.watcher.resources.persistentVolume }}
- persistentvolumes
{{- end }}
{{- if .Values.watcher.resources.persistentVolumeClaim }}
- persistentvolumeclaims
{{- end }}
{{- if .Values.watcher.resources.serviceAccount }}
- serviceaccounts
{{- end }}
{{- if .Values.watcher.resources.secret }}
- secrets
{{- end }}
{{- if .Values.watcher.resources.endpoints }}
- endpoints
{{- end }}
{{- if .Values.watcher.resources.limitRange }}
- limitranges
{{- end }}
{{- if .Values.watcher.resources.podTemplate }}
- podtemplates
{{- end }}
{{- if .Values.watcher.resources.resourceQuota }}
- resourcequotas
{{- end }}
verbs:
- get
- watch
- list
- apiGroups:
- rbac
- rbac.authorization.k8s.io
resources:
- clusterroles
{{- if .Values.watcher.resources.clusterRoleBinding }}
- clusterrolebindings
{{- end }}
{{- if .Values.watcher.resources.roleBinding }}
- rolebindings
{{- end }}
{{- if .Values.watcher.resources.role }}
- roles
{{- end }}
verbs:
- get
- watch
- list
- apiGroups: # Required as minimum installation
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
{{- if .Values.watcher.resources.controllerRevision }}
- controllerrevisions
{{- end }}
verbs:
- get
- watch
- list
- apiGroups:
- batch
resources:
{{- if .Values.watcher.resources.job }}
- jobs
{{- end }}
{{- if .Values.watcher.resources.cronjob }}
- cronjobs
{{- end }}
verbs:
- get
- watch
- list
- apiGroups:
- extensions
resources:
{{- if .Values.watcher.resources.ingress }}
- ingresses
{{- end }}
{{- if .Values.watcher.resources.networkPolicy }}
- networkpolicies
{{- end }}
{{- if .Values.watcher.resources.ingressClass }}
- ingressclasses
{{- end }}
verbs:
- get
- watch
- list
- apiGroups:
- networking.k8s.io
resources:
{{- if .Values.watcher.resources.ingress }}
- ingresses
{{- end }}
{{- if .Values.watcher.resources.ingressClass }}
- ingressclasses
{{- end }}
{{- if .Values.watcher.resources.networkPolicy }}
- networkpolicies
{{- end }}
verbs:
- get
- watch
- list
{{- if .Values.watcher.enableAgentTaskExecution }}
- apiGroups:
- ""
resources:
- pods
{{- if .Values.watcher.allowReadingPodLogs }}
- pods/log
{{- end }}
verbs:
- "get"
- "list"
{{- end }}
- apiGroups:
- storage.k8s.io
resources:
{{- if .Values.watcher.resources.storageClass }}
- storageclasses
{{- end }}
{{- if .Values.watcher.resources.csiDriver }}
- csidrivers
{{- end }}
{{- if .Values.watcher.resources.csiNode }}
- csinodes
{{- end }}
{{- if .Values.watcher.resources.csiStorageCapacity }}
- csistoragecapacities
{{- end }}
{{- if .Values.watcher.resources.volumeAttachment }}
- volumeattachments
{{- end }}
verbs:
- get
- watch
- list
# Required to validate if enabled CRDs are enabled on cluster
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- watch
- list
{{- if .Values.watcher.resources.rollout }}
- apiGroups:
- argoproj.io
resources:
- rollouts
- rollouts/status
- rollouts/finalizers
- analysistemplates
- clusteranalysistemplates
verbs:
- get
- watch
- list
{{- end }}
{{- if .Values.watcher.resources.metrics }}
- apiGroups:
- metrics.k8s.io
resources:
- nodes
- pods
verbs:
- get
- watch
- list
{{- end }}
{{- if .Values.watcher.resources.admissionRegistrationResources }}
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- watch
- list
{{- end }}
{{- if .Values.watcher.resources.authorizationResources }}
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
- selfsubjectaccessreviews
- selfsubjectrulesreviews
- subjectaccessreviews
verbs:
- get
- watch
- list
{{- end }}
{{- if .Values.watcher.resources.horizontalPodAutoscaler }}
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- watch
- list
{{- end }}
{{- if .Values.watcher.resources.certificateSigningRequest }}
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- get
- watch
- list
{{- end }}
{{- if .Values.watcher.resources.lease }}
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- watch
- list
{{- end }}
{{- if .Values.watcher.resources.endpointSlice }}
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- watch
- list
{{- end }}
{{- if .Values.watcher.resources.flowControlResources }}
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- flowschemas
- prioritylevelconfigurations
verbs:
- get
- watch
- list
{{- end }}
{{- if .Values.watcher.resources.runtimeClass }}
- apiGroups:
- node.k8s.io
resources:
- runtimeclasses
verbs:
- get
- watch
- list
{{- end }}
{{- if .Values.watcher.resources.policyResources }}
- apiGroups:
- policy
resources:
- poddisruptionbudgets
- podsecuritypolicies
verbs:
- get
- watch
- list
{{- end }}
{{- if .Values.watcher.resources.priorityClass }}
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- watch
- list
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "k8s-watcher.serviceAccountName" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "k8s-watcher.serviceAccountName" . }}
subjects:
- kind: ServiceAccount
name: {{ include "k8s-watcher.serviceAccountName" . }}
{{- if hasKey .Values "namespace" }}
namespace: {{ .Values.namespace }}
{{- end }}