From c453b17f1d0144ca0e084da00f2e55de5e922d31 Mon Sep 17 00:00:00 2001 From: Pramod Date: Wed, 31 Jul 2019 12:57:09 -0700 Subject: Helm chart for Istio Operator Operator is required to manage the lifecycle fo Istio deployments Issue-ID: MULTICLOUD-710 Signed-off-by: Pramod Change-Id: I9ea2427eb88caf06c41fcf2fb6f0cc0c66e8fb96 --- .../istio-operator/templates/operator-rbac.yaml | 315 +++++++++++++++++++++ 1 file changed, 315 insertions(+) create mode 100644 vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-rbac.yaml (limited to 'vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-rbac.yaml') diff --git a/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-rbac.yaml b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-rbac.yaml new file mode 100644 index 00000000..d506ee41 --- /dev/null +++ b/vnfs/DAaaS/deploy/00-init/istio/istio-operator/templates/operator-rbac.yaml @@ -0,0 +1,315 @@ +{{- if .Values.rbac.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "istio-operator.fullname" . }}-operator + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "istio-operator.fullname" . }}-operator + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +rules: +- apiGroups: + - "" + resources: + - nodes + - services + - endpoints + - pods + - replicationcontrollers + - services + - endpoints + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apps + resources: + - deployments/status + verbs: + - get + - update + - patch +- apiGroups: + - extensions + resources: + - ingresses + - ingresses/status + verbs: + - '*' +- apiGroups: + - extensions + resources: + - deployments + verbs: + - get +- apiGroups: + - extensions + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - extensions + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + - "" + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - istio.banzaicloud.io + resources: + - istios + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - istio.banzaicloud.io + resources: + - istios/status + verbs: + - get + - update + - patch +- apiGroups: + - authentication.istio.io + - cloud.istio.io + - config.istio.io + - istio.istio.io + - networking.istio.io + - rbac.istio.io + - scalingpolicy.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apps + resources: + - deployments/status + verbs: + - get + - update + - patch +- apiGroups: + - istio.banzaicloud.io + resources: + - remoteistios + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - istio.banzaicloud.io + resources: + - remoteistios/status + verbs: + - get + - update + - patch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - istio.banzaicloud.io + resources: + - istios + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "istio-operator.fullname" . }}-operator + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "istio-operator.fullname" . }}-operator +subjects: +- kind: ServiceAccount + name: {{ include "istio-operator.fullname" . }}-operator + namespace: {{ .Release.Namespace }} +{{- end }} -- cgit 1.2.3-korg