329 lines
6.7 KiB
YAML
329 lines
6.7 KiB
YAML
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: {{ include "k8s-watcher.serviceAccountName" . }}
|
|
{{- if hasKey .Values "namespace" }}
|
|
namespace: {{ .Values.namespace }}
|
|
{{- end }}
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
{{- if .Values.watcher.resources.event }}
|
|
- events
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.pod }}
|
|
- pods
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.replicationController }}
|
|
- replicationcontrollers
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.service }}
|
|
- services
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.namespace }}
|
|
- namespaces
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.configMap }}
|
|
- configmaps
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.node }}
|
|
- nodes
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.persistentVolume }}
|
|
- persistentvolumes
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.persistentVolumeClaim }}
|
|
- persistentvolumeclaims
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.serviceAccount }}
|
|
- serviceaccounts
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.secret }}
|
|
- secrets
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.endpoints }}
|
|
- endpoints
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.limitRange }}
|
|
- limitranges
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.podTemplate }}
|
|
- podtemplates
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.resourceQuota }}
|
|
- resourcequotas
|
|
{{- end }}
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
- apiGroups:
|
|
- rbac
|
|
- rbac.authorization.k8s.io
|
|
resources:
|
|
- clusterroles
|
|
{{- if .Values.watcher.resources.clusterRoleBinding }}
|
|
- clusterrolebindings
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.roleBinding }}
|
|
- rolebindings
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.role }}
|
|
- roles
|
|
{{- end }}
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
- apiGroups: # Required as minimum installation
|
|
- apps
|
|
resources:
|
|
- deployments
|
|
- daemonsets
|
|
- replicasets
|
|
- statefulsets
|
|
{{- if .Values.watcher.resources.controllerRevision }}
|
|
- controllerrevisions
|
|
{{- end }}
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
- apiGroups:
|
|
- batch
|
|
resources:
|
|
{{- if .Values.watcher.resources.job }}
|
|
- jobs
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.cronjob }}
|
|
- cronjobs
|
|
{{- end }}
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
- apiGroups:
|
|
- extensions
|
|
resources:
|
|
{{- if .Values.watcher.resources.ingress }}
|
|
- ingresses
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.networkPolicy }}
|
|
- networkpolicies
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.ingressClass }}
|
|
- ingressclasses
|
|
{{- end }}
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
- apiGroups:
|
|
- networking.k8s.io
|
|
resources:
|
|
{{- if .Values.watcher.resources.ingress }}
|
|
- ingresses
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.ingressClass }}
|
|
- ingressclasses
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.networkPolicy }}
|
|
- networkpolicies
|
|
{{- end }}
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
{{- if .Values.watcher.enableAgentTaskExecution }}
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
{{- if .Values.watcher.allowReadingPodLogs }}
|
|
- pods/log
|
|
{{- end }}
|
|
verbs:
|
|
- "get"
|
|
- "list"
|
|
{{- end }}
|
|
- apiGroups:
|
|
- storage.k8s.io
|
|
resources:
|
|
{{- if .Values.watcher.resources.storageClass }}
|
|
- storageclasses
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.csiDriver }}
|
|
- csidrivers
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.csiNode }}
|
|
- csinodes
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.csiStorageCapacity }}
|
|
- csistoragecapacities
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.volumeAttachment }}
|
|
- volumeattachments
|
|
{{- end }}
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
# Required to validate if enabled CRDs are enabled on cluster
|
|
- apiGroups:
|
|
- apiextensions.k8s.io
|
|
resources:
|
|
- customresourcedefinitions
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
{{- if .Values.watcher.resources.rollout }}
|
|
- apiGroups:
|
|
- argoproj.io
|
|
resources:
|
|
- rollouts
|
|
- rollouts/status
|
|
- rollouts/finalizers
|
|
- analysistemplates
|
|
- clusteranalysistemplates
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.metrics }}
|
|
- apiGroups:
|
|
- metrics.k8s.io
|
|
resources:
|
|
- nodes
|
|
- pods
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.admissionRegistrationResources }}
|
|
- apiGroups:
|
|
- admissionregistration.k8s.io
|
|
resources:
|
|
- mutatingwebhookconfigurations
|
|
- validatingwebhookconfigurations
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.authorizationResources }}
|
|
- apiGroups:
|
|
- authorization.k8s.io
|
|
resources:
|
|
- localsubjectaccessreviews
|
|
- selfsubjectaccessreviews
|
|
- selfsubjectrulesreviews
|
|
- subjectaccessreviews
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.horizontalPodAutoscaler }}
|
|
- apiGroups:
|
|
- autoscaling
|
|
resources:
|
|
- horizontalpodautoscalers
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.certificateSigningRequest }}
|
|
- apiGroups:
|
|
- certificates.k8s.io
|
|
resources:
|
|
- certificatesigningrequests
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.lease }}
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.endpointSlice }}
|
|
- apiGroups:
|
|
- discovery.k8s.io
|
|
resources:
|
|
- endpointslices
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.flowControlResources }}
|
|
- apiGroups:
|
|
- flowcontrol.apiserver.k8s.io
|
|
resources:
|
|
- flowschemas
|
|
- prioritylevelconfigurations
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.runtimeClass }}
|
|
- apiGroups:
|
|
- node.k8s.io
|
|
resources:
|
|
- runtimeclasses
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.policyResources }}
|
|
- apiGroups:
|
|
- policy
|
|
resources:
|
|
- poddisruptionbudgets
|
|
- podsecuritypolicies
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
{{- end }}
|
|
{{- if .Values.watcher.resources.priorityClass }}
|
|
- apiGroups:
|
|
- scheduling.k8s.io
|
|
resources:
|
|
- priorityclasses
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
{{- end }}
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ include "k8s-watcher.serviceAccountName" . }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ include "k8s-watcher.serviceAccountName" . }}
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ include "k8s-watcher.serviceAccountName" . }}
|
|
{{- if hasKey .Values "namespace" }}
|
|
namespace: {{ .Values.namespace }}
|
|
{{- end }}
|