--- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "k8s-watcher.serviceAccountName" . }} {{- if hasKey .Values "namespace" }} namespace: {{ .Values.namespace }} {{- end }} rules: - apiGroups: - "" resources: {{- if .Values.watcher.resources.event }} - events {{- end }} {{- if .Values.watcher.resources.pod }} - pods {{- end }} {{- if .Values.watcher.resources.replicationController }} - replicationcontrollers {{- end }} {{- if .Values.watcher.resources.service }} - services {{- end }} {{- if .Values.watcher.resources.namespace }} - namespaces {{- end }} {{- if .Values.watcher.resources.configMap }} - configmaps {{- end }} {{- if .Values.watcher.resources.node }} - nodes {{- end }} {{- if .Values.watcher.resources.persistentVolume }} - persistentvolumes {{- end }} {{- if .Values.watcher.resources.persistentVolumeClaim }} - persistentvolumeclaims {{- end }} {{- if .Values.watcher.resources.serviceAccount }} - serviceaccounts {{- end }} {{- if .Values.watcher.resources.secret }} - secrets {{- end }} {{- if .Values.watcher.resources.endpoints }} - endpoints {{- end }} {{- if .Values.watcher.resources.limitRange }} - limitranges {{- end }} {{- if .Values.watcher.resources.podTemplate }} - podtemplates {{- end }} {{- if .Values.watcher.resources.resourceQuota }} - resourcequotas {{- end }} verbs: - get - watch - list - apiGroups: - rbac - rbac.authorization.k8s.io resources: - clusterroles {{- if .Values.watcher.resources.clusterRoleBinding }} - clusterrolebindings {{- end }} {{- if .Values.watcher.resources.roleBinding }} - rolebindings {{- end }} {{- if .Values.watcher.resources.role }} - roles {{- end }} verbs: - get - watch - list - apiGroups: # Required as minimum installation - apps resources: - deployments - daemonsets - replicasets - statefulsets {{- if .Values.watcher.resources.controllerRevision }} - controllerrevisions {{- end }} verbs: - get - watch - list - apiGroups: - batch resources: {{- if .Values.watcher.resources.job }} - jobs {{- end }} {{- if .Values.watcher.resources.cronjob }} - cronjobs {{- end }} verbs: - get - watch - list - apiGroups: - extensions resources: {{- if .Values.watcher.resources.ingress }} - ingresses {{- end }} {{- if .Values.watcher.resources.networkPolicy }} - networkpolicies {{- end }} {{- if .Values.watcher.resources.ingressClass }} - ingressclasses {{- end }} verbs: - get - watch - list - apiGroups: - networking.k8s.io resources: {{- if .Values.watcher.resources.ingress }} - ingresses {{- end }} {{- if .Values.watcher.resources.ingressClass }} - ingressclasses {{- end }} {{- if .Values.watcher.resources.networkPolicy }} - networkpolicies {{- end }} verbs: - get - watch - list {{- if .Values.watcher.enableAgentTaskExecution }} - apiGroups: - "" resources: - pods {{- if .Values.watcher.allowReadingPodLogs }} - pods/log {{- end }} verbs: - "get" - "list" {{- end }} - apiGroups: - storage.k8s.io resources: {{- if .Values.watcher.resources.storageClass }} - storageclasses {{- end }} {{- if .Values.watcher.resources.csiDriver }} - csidrivers {{- end }} {{- if .Values.watcher.resources.csiNode }} - csinodes {{- end }} {{- if .Values.watcher.resources.csiStorageCapacity }} - csistoragecapacities {{- end }} {{- if .Values.watcher.resources.volumeAttachment }} - volumeattachments {{- end }} verbs: - get - watch - list # Required to validate if enabled CRDs are enabled on cluster - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - watch - list {{- if .Values.watcher.resources.rollout }} - apiGroups: - argoproj.io resources: - rollouts - rollouts/status - rollouts/finalizers - analysistemplates - clusteranalysistemplates verbs: - get - watch - list {{- end }} {{- if .Values.watcher.resources.metrics }} - apiGroups: - metrics.k8s.io resources: - nodes - pods verbs: - get - watch - list {{- end }} {{- if .Values.watcher.resources.admissionRegistrationResources }} - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - get - watch - list {{- end }} {{- if .Values.watcher.resources.authorizationResources }} - apiGroups: - authorization.k8s.io resources: - localsubjectaccessreviews - selfsubjectaccessreviews - selfsubjectrulesreviews - subjectaccessreviews verbs: - get - watch - list {{- end }} {{- if .Values.watcher.resources.horizontalPodAutoscaler }} - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - watch - list {{- end }} {{- if .Values.watcher.resources.certificateSigningRequest }} - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - get - watch - list {{- end }} {{- if .Values.watcher.resources.lease }} - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - watch - list {{- end }} {{- if .Values.watcher.resources.endpointSlice }} - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - watch - list {{- end }} {{- if .Values.watcher.resources.flowControlResources }} - apiGroups: - flowcontrol.apiserver.k8s.io resources: - flowschemas - prioritylevelconfigurations verbs: - get - watch - list {{- end }} {{- if .Values.watcher.resources.runtimeClass }} - apiGroups: - node.k8s.io resources: - runtimeclasses verbs: - get - watch - list {{- end }} {{- if .Values.watcher.resources.policyResources }} - apiGroups: - policy resources: - poddisruptionbudgets - podsecuritypolicies verbs: - get - watch - list {{- end }} {{- if .Values.watcher.resources.priorityClass }} - apiGroups: - scheduling.k8s.io resources: - priorityclasses verbs: - get - watch - list {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "k8s-watcher.serviceAccountName" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ include "k8s-watcher.serviceAccountName" . }} subjects: - kind: ServiceAccount name: {{ include "k8s-watcher.serviceAccountName" . }} {{- if hasKey .Values "namespace" }} namespace: {{ .Values.namespace }} {{- end }}