summaryrefslogtreecommitdiffstats
path: root/deployments/helm/servicemesh/metallb/templates/rbac.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'deployments/helm/servicemesh/metallb/templates/rbac.yaml')
-rw-r--r--deployments/helm/servicemesh/metallb/templates/rbac.yaml117
1 files changed, 117 insertions, 0 deletions
diff --git a/deployments/helm/servicemesh/metallb/templates/rbac.yaml b/deployments/helm/servicemesh/metallb/templates/rbac.yaml
new file mode 100644
index 00000000..658df7e6
--- /dev/null
+++ b/deployments/helm/servicemesh/metallb/templates/rbac.yaml
@@ -0,0 +1,117 @@
+{{- if .Values.rbac.create -}}
+
+# Roles
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ template "metallb.fullname" . }}:controller
+ labels:
+ heritage: {{ .Release.Service | quote }}
+ release: {{ .Release.Name | quote }}
+ chart: {{ template "metallb.chart" . }}
+ app: {{ template "metallb.name" . }}
+rules:
+- apiGroups: [""]
+ resources: ["services"]
+ verbs: ["get", "list", "watch", "update"]
+- apiGroups: [""]
+ resources: ["services/status"]
+ verbs: ["update"]
+- apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ template "metallb.fullname" . }}:speaker
+ labels:
+ heritage: {{ .Release.Service | quote }}
+ release: {{ .Release.Name | quote }}
+ chart: {{ template "metallb.chart" . }}
+ app: {{ template "metallb.name" . }}
+rules:
+- apiGroups: [""]
+ resources: ["services", "endpoints", "nodes"]
+ verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+{{- if .Values.psp.create }}
+- apiGroups: ["extensions"]
+ resources: ["podsecuritypolicies"]
+ resourceNames: [{{ printf "%s-speaker" (include "metallb.fullname" .) | quote}}]
+ verbs: ["use"]
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "metallb.fullname" . }}-config-watcher
+ labels:
+ heritage: {{ .Release.Service | quote }}
+ release: {{ .Release.Name | quote }}
+ chart: {{ template "metallb.chart" . }}
+ app: {{ template "metallb.name" . }}
+rules:
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "list", "watch"]
+---
+
+## Role bindings
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ template "metallb.fullname" . }}:controller
+ labels:
+ heritage: {{ .Release.Service | quote }}
+ release: {{ .Release.Name | quote }}
+ chart: {{ template "metallb.chart" . }}
+ app: {{ template "metallb.name" . }}
+subjects:
+- kind: ServiceAccount
+ name: {{ template "metallb.controllerServiceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ template "metallb.fullname" . }}:controller
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ template "metallb.fullname" . }}:speaker
+ labels:
+ heritage: {{ .Release.Service | quote }}
+ release: {{ .Release.Name | quote }}
+ chart: {{ template "metallb.chart" . }}
+ app: {{ template "metallb.name" . }}
+subjects:
+- kind: ServiceAccount
+ name: {{ template "metallb.speakerServiceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ template "metallb.fullname" . }}:speaker
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "metallb.fullname" . }}-config-watcher
+ labels:
+ heritage: {{ .Release.Service | quote }}
+ release: {{ .Release.Name | quote }}
+ chart: {{ template "metallb.chart" . }}
+ app: {{ template "metallb.name" . }}
+subjects:
+- kind: ServiceAccount
+ name: {{ template "metallb.controllerServiceAccountName" . }}
+- kind: ServiceAccount
+ name: {{ template "metallb.speakerServiceAccountName" . }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "metallb.fullname" . }}-config-watcher
+{{- end -}}