aboutsummaryrefslogtreecommitdiffstats
path: root/deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml')
-rw-r--r--deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml54
1 files changed, 54 insertions, 0 deletions
diff --git a/deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml b/deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml
new file mode 100644
index 00000000..8a047e03
--- /dev/null
+++ b/deployments/helm/servicemesh/istio-operator/templates/authproxy-rbac.yaml
@@ -0,0 +1,54 @@
+{{- if and .Values.rbac.enabled .Values.prometheusMetrics.enabled .Values.prometheusMetrics.authProxy.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "istio-operator.fullname" . }}-authproxy
+ labels:
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: authproxy
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: "{{ include "istio-operator.fullname" . }}-authproxy"
+ labels:
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: authproxy
+rules:
+- apiGroups: ["authentication.k8s.io"]
+ resources:
+ - tokenreviews
+ verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+ resources:
+ - subjectaccessreviews
+ verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: "{{ include "istio-operator.fullname" . }}-authproxy"
+ labels:
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: authproxy
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: "{{ include "istio-operator.fullname" . }}-authproxy"
+subjects:
+- kind: ServiceAccount
+ name: {{ include "istio-operator.fullname" . }}-authproxy
+ namespace: {{ .Release.Namespace }}
+{{- end }}