charts/metallb/templates/rbac.yaml - pcloud - Gitiles

 {{- if .Values.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "metallb.fullname" . }}:controller
   labels:
     {{- include "metallb.labels" . | nindent 4 }}
 rules:
 - apiGroups: [""]
   resources: ["services", "namespaces"]
   verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources: ["nodes"]
   verbs: ["list"]
 - apiGroups: [""]
   resources: ["services/status"]
   verbs: ["update"]
 - apiGroups: [""]
   resources: ["events"]
   verbs: ["create", "patch"]
 - apiGroups: ["admissionregistration.k8s.io"]
   resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
   resourceNames: ["metallb-webhook-configuration"]
   verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
 - apiGroups: ["admissionregistration.k8s.io"]
   resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
   verbs: ["list", "watch"]
 - apiGroups: ["apiextensions.k8s.io"]
   resources: ["customresourcedefinitions"]
   resourceNames: ["addresspools.metallb.io","bfdprofiles.metallb.io","bgpadvertisements.metallb.io",
     "bgppeers.metallb.io","ipaddresspools.metallb.io","l2advertisements.metallb.io","communities.metallb.io"]
   verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
 - apiGroups: ["apiextensions.k8s.io"]
   resources: ["customresourcedefinitions"]
   verbs: ["list", "watch"]
 {{- if .Values.prometheus.secureMetricsPort }}
 - apiGroups: ["authentication.k8s.io"]
   resources: ["tokenreviews"]
   verbs: ["create"]
 - apiGroups: ["authorization.k8s.io"]
   resources: ["subjectaccessreviews"]
   verbs: ["create"]
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "metallb.fullname" . }}:speaker
   labels:
     {{- include "metallb.labels" . | nindent 4 }}
 rules:
 - apiGroups: [""]
   resources: ["services", "endpoints", "nodes", "namespaces"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["discovery.k8s.io"]
   resources: ["endpointslices"]
   verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources: ["events"]
   verbs: ["create", "patch"]
 {{- if .Values.prometheus.secureMetricsPort }}
 - apiGroups: ["authentication.k8s.io"]
   resources: ["tokenreviews"]
   verbs: ["create"]
 - apiGroups: ["authorization.k8s.io"]
   resources: ["subjectaccessreviews"]
   verbs: ["create"]
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ include "metallb.fullname" . }}-pod-lister
   namespace: {{ .Release.Namespace | quote }}
   labels: {{- include "metallb.labels" . | nindent 4 }}
 rules:
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["list"]
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources: ["configmaps"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["metallb.io"]
   resources: ["addresspools"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["metallb.io"]
   resources: ["bfdprofiles"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["metallb.io"]
   resources: ["bgppeers"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["metallb.io"]
   resources: ["l2advertisements"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["metallb.io"]
   resources: ["bgpadvertisements"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["metallb.io"]
   resources: ["ipaddresspools"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["metallb.io"]
   resources: ["communities"]
   verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ include "metallb.fullname" . }}-controller
   namespace: {{ .Release.Namespace | quote }}
   labels: {{- include "metallb.labels" . | nindent 4 }}
 rules:
 {{- if .Values.speaker.memberlist.enabled }}
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["create", "get", "list", "watch"]
 - apiGroups: [""]
   resources: ["secrets"]
   resourceNames: [{{ include "metallb.secretName" . | quote }}]
   verbs: ["list"]
 - apiGroups: ["apps"]
   resources: ["deployments"]
   resourceNames: ["{{ template "metallb.fullname" . }}-controller"]
   verbs: ["get"]
 {{- end }}
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
 - apiGroups: ["metallb.io"]
   resources: ["addresspools"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["metallb.io"]
   resources: ["ipaddresspools"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["metallb.io"]
   resources: ["bgppeers"]
   verbs: ["get", "list"]
 - apiGroups: ["metallb.io"]
   resources: ["bgpadvertisements"]
   verbs: ["get", "list"]
 - apiGroups: ["metallb.io"]
   resources: ["l2advertisements"]
   verbs: ["get", "list"]
 - apiGroups: ["metallb.io"]
   resources: ["communities"]
   verbs: ["get", "list","watch"]
 - apiGroups: ["metallb.io"]
   resources: ["bfdprofiles"]
   verbs: ["get", "list","watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ template "metallb.fullname" . }}:controller
   labels:
     {{- include "metallb.labels" . | nindent 4 }}
 subjects:
 - kind: ServiceAccount
   name: {{ template "metallb.controller.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: {{ template "metallb.fullname" . }}:controller
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ template "metallb.fullname" . }}:speaker
   labels:
     {{- include "metallb.labels" . | nindent 4 }}
 subjects:
 - kind: ServiceAccount
   name: {{ template "metallb.speaker.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: {{ template "metallb.fullname" . }}:speaker
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "metallb.fullname" . }}-pod-lister
   namespace: {{ .Release.Namespace | quote }}
   labels: {{- include "metallb.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: {{ include "metallb.fullname" . }}-pod-lister
 subjects:
 - kind: ServiceAccount
   name: {{ include "metallb.speaker.serviceAccountName" . }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "metallb.fullname" . }}-controller
   namespace: {{ .Release.Namespace | quote }}
   labels: {{- include "metallb.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: {{ include "metallb.fullname" . }}-controller
 subjects:
 - kind: ServiceAccount
   name: {{ include "metallb.controller.serviceAccountName" . }}
 {{- end -}}
	{{- if .Values.rbac.create -}}
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: {{ template "metallb.fullname" . }}:controller
	labels:
	{{- include "metallb.labels" . \| nindent 4 }}
	rules:
	- apiGroups: [""]
	resources: ["services", "namespaces"]
	verbs: ["get", "list", "watch"]
	- apiGroups: [""]
	resources: ["nodes"]
	verbs: ["list"]
	- apiGroups: [""]
	resources: ["services/status"]
	verbs: ["update"]
	- apiGroups: [""]
	resources: ["events"]
	verbs: ["create", "patch"]
	- apiGroups: ["admissionregistration.k8s.io"]
	resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
	resourceNames: ["metallb-webhook-configuration"]
	verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
	- apiGroups: ["admissionregistration.k8s.io"]
	resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
	verbs: ["list", "watch"]
	- apiGroups: ["apiextensions.k8s.io"]
	resources: ["customresourcedefinitions"]
	resourceNames: ["addresspools.metallb.io","bfdprofiles.metallb.io","bgpadvertisements.metallb.io",
	"bgppeers.metallb.io","ipaddresspools.metallb.io","l2advertisements.metallb.io","communities.metallb.io"]
	verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
	- apiGroups: ["apiextensions.k8s.io"]
	resources: ["customresourcedefinitions"]
	verbs: ["list", "watch"]
	{{- if .Values.prometheus.secureMetricsPort }}
	- apiGroups: ["authentication.k8s.io"]
	resources: ["tokenreviews"]
	verbs: ["create"]
	- apiGroups: ["authorization.k8s.io"]
	resources: ["subjectaccessreviews"]
	verbs: ["create"]
	{{- end }}
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: {{ template "metallb.fullname" . }}:speaker
	labels:
	{{- include "metallb.labels" . \| nindent 4 }}
	rules:
	- apiGroups: [""]
	resources: ["services", "endpoints", "nodes", "namespaces"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["discovery.k8s.io"]
	resources: ["endpointslices"]
	verbs: ["get", "list", "watch"]
	- apiGroups: [""]
	resources: ["events"]
	verbs: ["create", "patch"]
	{{- if .Values.prometheus.secureMetricsPort }}
	- apiGroups: ["authentication.k8s.io"]
	resources: ["tokenreviews"]
	verbs: ["create"]
	- apiGroups: ["authorization.k8s.io"]
	resources: ["subjectaccessreviews"]
	verbs: ["create"]
	{{- end }}
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: {{ include "metallb.fullname" . }}-pod-lister
	namespace: {{ .Release.Namespace \| quote }}
	labels: {{- include "metallb.labels" . \| nindent 4 }}
	rules:
	- apiGroups: [""]
	resources: ["pods"]
	verbs: ["list"]
	- apiGroups: [""]
	resources: ["secrets"]
	verbs: ["get", "list", "watch"]
	- apiGroups: [""]
	resources: ["configmaps"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["metallb.io"]
	resources: ["addresspools"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["metallb.io"]
	resources: ["bfdprofiles"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["metallb.io"]
	resources: ["bgppeers"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["metallb.io"]
	resources: ["l2advertisements"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["metallb.io"]
	resources: ["bgpadvertisements"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["metallb.io"]
	resources: ["ipaddresspools"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["metallb.io"]
	resources: ["communities"]
	verbs: ["get", "list", "watch"]
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: {{ include "metallb.fullname" . }}-controller
	namespace: {{ .Release.Namespace \| quote }}
	labels: {{- include "metallb.labels" . \| nindent 4 }}
	rules:
	{{- if .Values.speaker.memberlist.enabled }}
	- apiGroups: [""]
	resources: ["secrets"]
	verbs: ["create", "get", "list", "watch"]
	- apiGroups: [""]
	resources: ["secrets"]
	resourceNames: [{{ include "metallb.secretName" . \| quote }}]
	verbs: ["list"]
	- apiGroups: ["apps"]
	resources: ["deployments"]
	resourceNames: ["{{ template "metallb.fullname" . }}-controller"]
	verbs: ["get"]
	{{- end }}
	- apiGroups: [""]
	resources: ["secrets"]
	verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
	- apiGroups: ["metallb.io"]
	resources: ["addresspools"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["metallb.io"]
	resources: ["ipaddresspools"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["metallb.io"]
	resources: ["bgppeers"]
	verbs: ["get", "list"]
	- apiGroups: ["metallb.io"]
	resources: ["bgpadvertisements"]
	verbs: ["get", "list"]
	- apiGroups: ["metallb.io"]
	resources: ["l2advertisements"]
	verbs: ["get", "list"]
	- apiGroups: ["metallb.io"]
	resources: ["communities"]
	verbs: ["get", "list","watch"]
	- apiGroups: ["metallb.io"]
	resources: ["bfdprofiles"]
	verbs: ["get", "list","watch"]
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: {{ template "metallb.fullname" . }}:controller
	labels:
	{{- include "metallb.labels" . \| nindent 4 }}
	subjects:
	- kind: ServiceAccount
	name: {{ template "metallb.controller.serviceAccountName" . }}
	namespace: {{ .Release.Namespace }}
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: {{ template "metallb.fullname" . }}:controller
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: {{ template "metallb.fullname" . }}:speaker
	labels:
	{{- include "metallb.labels" . \| nindent 4 }}
	subjects:
	- kind: ServiceAccount
	name: {{ template "metallb.speaker.serviceAccountName" . }}
	namespace: {{ .Release.Namespace }}
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: {{ template "metallb.fullname" . }}:speaker
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: {{ include "metallb.fullname" . }}-pod-lister
	namespace: {{ .Release.Namespace \| quote }}
	labels: {{- include "metallb.labels" . \| nindent 4 }}
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: {{ include "metallb.fullname" . }}-pod-lister
	subjects:
	- kind: ServiceAccount
	name: {{ include "metallb.speaker.serviceAccountName" . }}
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: {{ include "metallb.fullname" . }}-controller
	namespace: {{ .Release.Namespace \| quote }}
	labels: {{- include "metallb.labels" . \| nindent 4 }}
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: {{ include "metallb.fullname" . }}-controller
	subjects:
	- kind: ServiceAccount
	name: {{ include "metallb.controller.serviceAccountName" . }}
	{{- end -}}