diff options
Diffstat (limited to 'deployments/helm/servicemesh/istio-operator/templates/operator-rbac.yaml')
-rw-r--r-- | deployments/helm/servicemesh/istio-operator/templates/operator-rbac.yaml | 315 |
1 files changed, 315 insertions, 0 deletions
diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-rbac.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-rbac.yaml new file mode 100644 index 00000000..d506ee41 --- /dev/null +++ b/deployments/helm/servicemesh/istio-operator/templates/operator-rbac.yaml @@ -0,0 +1,315 @@ +{{- if .Values.rbac.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "istio-operator.fullname" . }}-operator + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "istio-operator.fullname" . }}-operator + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +rules: +- apiGroups: + - "" + resources: + - nodes + - services + - endpoints + - pods + - replicationcontrollers + - services + - endpoints + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apps + resources: + - deployments/status + verbs: + - get + - update + - patch +- apiGroups: + - extensions + resources: + - ingresses + - ingresses/status + verbs: + - '*' +- apiGroups: + - extensions + resources: + - deployments + verbs: + - get +- apiGroups: + - extensions + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - extensions + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + - "" + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - istio.banzaicloud.io + resources: + - istios + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - istio.banzaicloud.io + resources: + - istios/status + verbs: + - get + - update + - patch +- apiGroups: + - authentication.istio.io + - cloud.istio.io + - config.istio.io + - istio.istio.io + - networking.istio.io + - rbac.istio.io + - scalingpolicy.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apps + resources: + - deployments/status + verbs: + - get + - update + - patch +- apiGroups: + - istio.banzaicloud.io + resources: + - remoteistios + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - istio.banzaicloud.io + resources: + - remoteistios/status + verbs: + - get + - update + - patch +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - istio.banzaicloud.io + resources: + - istios + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "istio-operator.fullname" . }}-operator + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "istio-operator.fullname" . }}-operator +subjects: +- kind: ServiceAccount + name: {{ include "istio-operator.fullname" . }}-operator + namespace: {{ .Release.Namespace }} +{{- end }} |