Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 0048a78304b7ea4bbd14230c87d6132825bee8ec / . / charts / cert-manager / templates / rbac.yaml
blob: 830e3728533282ac0fed476c275ef08dcbf84885 [file] [log] [blame]
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]1{{- if .Values.global.rbac.create }}
2apiVersion: rbac.authorization.k8s.io/v1
3kind: Role
4metadata:
5 name: {{ template "cert-manager.fullname" . }}:leaderelection
6 namespace: {{ .Values.global.leaderElection.namespace }}
7 labels:
8 app: {{ include "cert-manager.name" . }}
9 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
10 app.kubernetes.io/instance: {{ .Release.Name }}
11 app.kubernetes.io/component: "controller"
12 {{- include "labels" . | nindent 4 }}
13rules:
14 - apiGroups: ["coordination.k8s.io"]
15 resources: ["leases"]
16 resourceNames: ["cert-manager-controller"]
17 verbs: ["get", "update", "patch"]
18 - apiGroups: ["coordination.k8s.io"]
19 resources: ["leases"]
20 verbs: ["create"]
21
22---
23
24# grant cert-manager permission to manage the leaderelection configmap in the
25# leader election namespace
26apiVersion: rbac.authorization.k8s.io/v1
27kind: RoleBinding
28metadata:
29 name: {{ include "cert-manager.fullname" . }}:leaderelection
30 namespace: {{ .Values.global.leaderElection.namespace }}
31 labels:
32 app: {{ include "cert-manager.name" . }}
33 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
34 app.kubernetes.io/instance: {{ .Release.Name }}
35 app.kubernetes.io/component: "controller"
36 {{- include "labels" . | nindent 4 }}
37roleRef:
38 apiGroup: rbac.authorization.k8s.io
39 kind: Role
40 name: {{ template "cert-manager.fullname" . }}:leaderelection
41subjects:
42 - apiGroup: ""
43 kind: ServiceAccount
44 name: {{ template "cert-manager.serviceAccountName" . }}
45 namespace: {{ include "cert-manager.namespace" . }}
46
47---
48
49# Issuer controller role
50apiVersion: rbac.authorization.k8s.io/v1
51kind: ClusterRole
52metadata:
53 name: {{ template "cert-manager.fullname" . }}-controller-issuers
54 labels:
55 app: {{ include "cert-manager.name" . }}
56 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
57 app.kubernetes.io/instance: {{ .Release.Name }}
58 app.kubernetes.io/component: "controller"
59 {{- include "labels" . | nindent 4 }}
60rules:
61 - apiGroups: ["cert-manager.io"]
62 resources: ["issuers", "issuers/status"]
63 verbs: ["update", "patch"]
64 - apiGroups: ["cert-manager.io"]
65 resources: ["issuers"]
66 verbs: ["get", "list", "watch"]
67 - apiGroups: [""]
68 resources: ["secrets"]
69 verbs: ["get", "list", "watch", "create", "update", "delete"]
70 - apiGroups: [""]
71 resources: ["events"]
72 verbs: ["create", "patch"]
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]73---
74
75# ClusterIssuer controller role
76apiVersion: rbac.authorization.k8s.io/v1
77kind: ClusterRole
78metadata:
79 name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
80 labels:
81 app: {{ include "cert-manager.name" . }}
82 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
83 app.kubernetes.io/instance: {{ .Release.Name }}
84 app.kubernetes.io/component: "controller"
85 {{- include "labels" . | nindent 4 }}
86rules:
87 - apiGroups: ["cert-manager.io"]
88 resources: ["clusterissuers", "clusterissuers/status"]
89 verbs: ["update", "patch"]
90 - apiGroups: ["cert-manager.io"]
91 resources: ["clusterissuers"]
92 verbs: ["get", "list", "watch"]
93 - apiGroups: [""]
94 resources: ["secrets"]
95 verbs: ["get", "list", "watch", "create", "update", "delete"]
96 - apiGroups: [""]
97 resources: ["events"]
98 verbs: ["create", "patch"]
99
100---
101
102# Certificates controller role
103apiVersion: rbac.authorization.k8s.io/v1
104kind: ClusterRole
105metadata:
106 name: {{ template "cert-manager.fullname" . }}-controller-certificates
107 labels:
108 app: {{ include "cert-manager.name" . }}
109 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
110 app.kubernetes.io/instance: {{ .Release.Name }}
111 app.kubernetes.io/component: "controller"
112 {{- include "labels" . | nindent 4 }}
113rules:
114 - apiGroups: ["cert-manager.io"]
115 resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
116 verbs: ["update", "patch"]
117 - apiGroups: ["cert-manager.io"]
118 resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
119 verbs: ["get", "list", "watch"]
120 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
121 # admission controller enabled:
122 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
123 - apiGroups: ["cert-manager.io"]
124 resources: ["certificates/finalizers", "certificaterequests/finalizers"]
125 verbs: ["update"]
126 - apiGroups: ["acme.cert-manager.io"]
127 resources: ["orders"]
128 verbs: ["create", "delete", "get", "list", "watch"]
129 - apiGroups: [""]
130 resources: ["secrets"]
131 verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
132 - apiGroups: [""]
133 resources: ["events"]
134 verbs: ["create", "patch"]
135
136---
137
138# Orders controller role
139apiVersion: rbac.authorization.k8s.io/v1
140kind: ClusterRole
141metadata:
142 name: {{ template "cert-manager.fullname" . }}-controller-orders
143 labels:
144 app: {{ include "cert-manager.name" . }}
145 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
146 app.kubernetes.io/instance: {{ .Release.Name }}
147 app.kubernetes.io/component: "controller"
148 {{- include "labels" . | nindent 4 }}
149rules:
150 - apiGroups: ["acme.cert-manager.io"]
151 resources: ["orders", "orders/status"]
152 verbs: ["update", "patch"]
153 - apiGroups: ["acme.cert-manager.io"]
154 resources: ["orders", "challenges"]
155 verbs: ["get", "list", "watch"]
156 - apiGroups: ["cert-manager.io"]
157 resources: ["clusterissuers", "issuers"]
158 verbs: ["get", "list", "watch"]
159 - apiGroups: ["acme.cert-manager.io"]
160 resources: ["challenges"]
161 verbs: ["create", "delete"]
162 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
163 # admission controller enabled:
164 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
165 - apiGroups: ["acme.cert-manager.io"]
166 resources: ["orders/finalizers"]
167 verbs: ["update"]
168 - apiGroups: [""]
169 resources: ["secrets"]
170 verbs: ["get", "list", "watch"]
171 - apiGroups: [""]
172 resources: ["events"]
173 verbs: ["create", "patch"]
174
175---
176
177# Challenges controller role
178apiVersion: rbac.authorization.k8s.io/v1
179kind: ClusterRole
180metadata:
181 name: {{ template "cert-manager.fullname" . }}-controller-challenges
182 labels:
183 app: {{ include "cert-manager.name" . }}
184 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
185 app.kubernetes.io/instance: {{ .Release.Name }}
186 app.kubernetes.io/component: "controller"
187 {{- include "labels" . | nindent 4 }}
188rules:
189 # Use to update challenge resource status
190 - apiGroups: ["acme.cert-manager.io"]
191 resources: ["challenges", "challenges/status"]
192 verbs: ["update", "patch"]
193 # Used to watch challenge resources
194 - apiGroups: ["acme.cert-manager.io"]
195 resources: ["challenges"]
196 verbs: ["get", "list", "watch"]
197 # Used to watch challenges, issuer and clusterissuer resources
198 - apiGroups: ["cert-manager.io"]
199 resources: ["issuers", "clusterissuers"]
200 verbs: ["get", "list", "watch"]
201 # Need to be able to retrieve ACME account private key to complete challenges
202 - apiGroups: [""]
203 resources: ["secrets"]
204 verbs: ["get", "list", "watch"]
205 # Used to create events
206 - apiGroups: [""]
207 resources: ["events"]
208 verbs: ["create", "patch"]
209 # HTTP01 rules
210 - apiGroups: [""]
211 resources: ["pods", "services"]
212 verbs: ["get", "list", "watch", "create", "delete"]
213 - apiGroups: ["networking.k8s.io"]
214 resources: ["ingresses"]
215 verbs: ["get", "list", "watch", "create", "delete", "update"]
216 - apiGroups: [ "gateway.networking.k8s.io" ]
217 resources: [ "httproutes" ]
218 verbs: ["get", "list", "watch", "create", "delete", "update"]
219 # We require the ability to specify a custom hostname when we are creating
220 # new ingress resources.
221 # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
222 - apiGroups: ["route.openshift.io"]
223 resources: ["routes/custom-host"]
224 verbs: ["create"]
225 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
226 # admission controller enabled:
227 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
228 - apiGroups: ["acme.cert-manager.io"]
229 resources: ["challenges/finalizers"]
230 verbs: ["update"]
231 # DNS01 rules (duplicated above)
232 - apiGroups: [""]
233 resources: ["secrets"]
234 verbs: ["get", "list", "watch"]
235
236---
237
238# ingress-shim controller role
239apiVersion: rbac.authorization.k8s.io/v1
240kind: ClusterRole
241metadata:
242 name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
243 labels:
244 app: {{ include "cert-manager.name" . }}
245 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
246 app.kubernetes.io/instance: {{ .Release.Name }}
247 app.kubernetes.io/component: "controller"
248 {{- include "labels" . | nindent 4 }}
249rules:
250 - apiGroups: ["cert-manager.io"]
251 resources: ["certificates", "certificaterequests"]
252 verbs: ["create", "update", "delete"]
253 - apiGroups: ["cert-manager.io"]
254 resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
255 verbs: ["get", "list", "watch"]
256 - apiGroups: ["networking.k8s.io"]
257 resources: ["ingresses"]
258 verbs: ["get", "list", "watch"]
259 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
260 # admission controller enabled:
261 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
262 - apiGroups: ["networking.k8s.io"]
263 resources: ["ingresses/finalizers"]
264 verbs: ["update"]
265 - apiGroups: ["gateway.networking.k8s.io"]
266 resources: ["gateways", "httproutes"]
267 verbs: ["get", "list", "watch"]
268 - apiGroups: ["gateway.networking.k8s.io"]
269 resources: ["gateways/finalizers", "httproutes/finalizers"]
270 verbs: ["update"]
271 - apiGroups: [""]
272 resources: ["events"]
273 verbs: ["create", "patch"]
274
275---
276
277apiVersion: rbac.authorization.k8s.io/v1
278kind: ClusterRoleBinding
279metadata:
280 name: {{ template "cert-manager.fullname" . }}-controller-issuers
281 labels:
282 app: {{ include "cert-manager.name" . }}
283 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
284 app.kubernetes.io/instance: {{ .Release.Name }}
285 app.kubernetes.io/component: "controller"
286 {{- include "labels" . | nindent 4 }}
287roleRef:
288 apiGroup: rbac.authorization.k8s.io
289 kind: ClusterRole
290 name: {{ template "cert-manager.fullname" . }}-controller-issuers
291subjects:
292 - name: {{ template "cert-manager.serviceAccountName" . }}
293 namespace: {{ include "cert-manager.namespace" . }}
294 kind: ServiceAccount
295
296---
297
298apiVersion: rbac.authorization.k8s.io/v1
299kind: ClusterRoleBinding
300metadata:
301 name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
302 labels:
303 app: {{ include "cert-manager.name" . }}
304 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
305 app.kubernetes.io/instance: {{ .Release.Name }}
306 app.kubernetes.io/component: "controller"
307 {{- include "labels" . | nindent 4 }}
308roleRef:
309 apiGroup: rbac.authorization.k8s.io
310 kind: ClusterRole
311 name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
312subjects:
313 - name: {{ template "cert-manager.serviceAccountName" . }}
314 namespace: {{ include "cert-manager.namespace" . }}
315 kind: ServiceAccount
316
317---
318
319apiVersion: rbac.authorization.k8s.io/v1
320kind: ClusterRoleBinding
321metadata:
322 name: {{ template "cert-manager.fullname" . }}-controller-certificates
323 labels:
324 app: {{ include "cert-manager.name" . }}
325 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
326 app.kubernetes.io/instance: {{ .Release.Name }}
327 app.kubernetes.io/component: "controller"
328 {{- include "labels" . | nindent 4 }}
329roleRef:
330 apiGroup: rbac.authorization.k8s.io
331 kind: ClusterRole
332 name: {{ template "cert-manager.fullname" . }}-controller-certificates
333subjects:
334 - name: {{ template "cert-manager.serviceAccountName" . }}
335 namespace: {{ include "cert-manager.namespace" . }}
336 kind: ServiceAccount
337
338---
339
340apiVersion: rbac.authorization.k8s.io/v1
341kind: ClusterRoleBinding
342metadata:
343 name: {{ template "cert-manager.fullname" . }}-controller-orders
344 labels:
345 app: {{ include "cert-manager.name" . }}
346 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
347 app.kubernetes.io/instance: {{ .Release.Name }}
348 app.kubernetes.io/component: "controller"
349 {{- include "labels" . | nindent 4 }}
350roleRef:
351 apiGroup: rbac.authorization.k8s.io
352 kind: ClusterRole
353 name: {{ template "cert-manager.fullname" . }}-controller-orders
354subjects:
355 - name: {{ template "cert-manager.serviceAccountName" . }}
356 namespace: {{ include "cert-manager.namespace" . }}
357 kind: ServiceAccount
358
359---
360
361apiVersion: rbac.authorization.k8s.io/v1
362kind: ClusterRoleBinding
363metadata:
364 name: {{ template "cert-manager.fullname" . }}-controller-challenges
365 labels:
366 app: {{ include "cert-manager.name" . }}
367 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
368 app.kubernetes.io/instance: {{ .Release.Name }}
369 app.kubernetes.io/component: "controller"
370 {{- include "labels" . | nindent 4 }}
371roleRef:
372 apiGroup: rbac.authorization.k8s.io
373 kind: ClusterRole
374 name: {{ template "cert-manager.fullname" . }}-controller-challenges
375subjects:
376 - name: {{ template "cert-manager.serviceAccountName" . }}
377 namespace: {{ include "cert-manager.namespace" . }}
378 kind: ServiceAccount
379
380---
381
382apiVersion: rbac.authorization.k8s.io/v1
383kind: ClusterRoleBinding
384metadata:
385 name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
386 labels:
387 app: {{ include "cert-manager.name" . }}
388 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
389 app.kubernetes.io/instance: {{ .Release.Name }}
390 app.kubernetes.io/component: "controller"
391 {{- include "labels" . | nindent 4 }}
392roleRef:
393 apiGroup: rbac.authorization.k8s.io
394 kind: ClusterRole
395 name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
396subjects:
397 - name: {{ template "cert-manager.serviceAccountName" . }}
398 namespace: {{ include "cert-manager.namespace" . }}
399 kind: ServiceAccount
400
401---
402
403apiVersion: rbac.authorization.k8s.io/v1
404kind: ClusterRole
405metadata:
406 name: {{ template "cert-manager.fullname" . }}-view
407 labels:
408 app: {{ include "cert-manager.name" . }}
409 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
410 app.kubernetes.io/instance: {{ .Release.Name }}
411 app.kubernetes.io/component: "controller"
412 {{- include "labels" . | nindent 4 }}
413 {{- if .Values.global.rbac.aggregateClusterRoles }}
414 rbac.authorization.k8s.io/aggregate-to-view: "true"
415 rbac.authorization.k8s.io/aggregate-to-edit: "true"
416 rbac.authorization.k8s.io/aggregate-to-admin: "true"
417 {{- end }}
418rules:
419 - apiGroups: ["cert-manager.io"]
420 resources: ["certificates", "certificaterequests", "issuers"]
421 verbs: ["get", "list", "watch"]
422 - apiGroups: ["acme.cert-manager.io"]
423 resources: ["challenges", "orders"]
424 verbs: ["get", "list", "watch"]
425
426
427---
428
429apiVersion: rbac.authorization.k8s.io/v1
430kind: ClusterRole
431metadata:
432 name: {{ template "cert-manager.fullname" . }}-edit
433 labels:
434 app: {{ include "cert-manager.name" . }}
435 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
436 app.kubernetes.io/instance: {{ .Release.Name }}
437 app.kubernetes.io/component: "controller"
438 {{- include "labels" . | nindent 4 }}
439 {{- if .Values.global.rbac.aggregateClusterRoles }}
440 rbac.authorization.k8s.io/aggregate-to-edit: "true"
441 rbac.authorization.k8s.io/aggregate-to-admin: "true"
442 {{- end }}
443rules:
444 - apiGroups: ["cert-manager.io"]
445 resources: ["certificates", "certificaterequests", "issuers"]
446 verbs: ["create", "delete", "deletecollection", "patch", "update"]
447 - apiGroups: ["cert-manager.io"]
448 resources: ["certificates/status"]
449 verbs: ["update"]
450 - apiGroups: ["acme.cert-manager.io"]
451 resources: ["challenges", "orders"]
452 verbs: ["create", "delete", "deletecollection", "patch", "update"]
453
454---
455
456# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
457apiVersion: rbac.authorization.k8s.io/v1
458kind: ClusterRole
459metadata:
460 name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
461 labels:
462 app: {{ include "cert-manager.name" . }}
463 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
464 app.kubernetes.io/instance: {{ .Release.Name }}
465 app.kubernetes.io/component: "cert-manager"
466 {{- include "labels" . | nindent 4 }}
467rules:
468 - apiGroups: ["cert-manager.io"]
469 resources: ["signers"]
470 verbs: ["approve"]
471 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
472
473---
474
475apiVersion: rbac.authorization.k8s.io/v1
476kind: ClusterRoleBinding
477metadata:
478 name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
479 labels:
480 app: {{ include "cert-manager.name" . }}
481 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
482 app.kubernetes.io/instance: {{ .Release.Name }}
483 app.kubernetes.io/component: "cert-manager"
484 {{- include "labels" . | nindent 4 }}
485roleRef:
486 apiGroup: rbac.authorization.k8s.io
487 kind: ClusterRole
488 name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
489subjects:
490 - name: {{ template "cert-manager.serviceAccountName" . }}
491 namespace: {{ include "cert-manager.namespace" . }}
492 kind: ServiceAccount
493
494---
495
496# Permission to:
497# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
498# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
499apiVersion: rbac.authorization.k8s.io/v1
500kind: ClusterRole
501metadata:
502 name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
503 labels:
504 app: {{ include "cert-manager.name" . }}
505 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
506 app.kubernetes.io/instance: {{ .Release.Name }}
507 app.kubernetes.io/component: "cert-manager"
508 {{- include "labels" . | nindent 4 }}
509rules:
510 - apiGroups: ["certificates.k8s.io"]
511 resources: ["certificatesigningrequests"]
512 verbs: ["get", "list", "watch", "update"]
513 - apiGroups: ["certificates.k8s.io"]
514 resources: ["certificatesigningrequests/status"]
515 verbs: ["update", "patch"]
516 - apiGroups: ["certificates.k8s.io"]
517 resources: ["signers"]
518 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
519 verbs: ["sign"]
520 - apiGroups: ["authorization.k8s.io"]
521 resources: ["subjectaccessreviews"]
522 verbs: ["create"]
523
524---
525
526apiVersion: rbac.authorization.k8s.io/v1
527kind: ClusterRoleBinding
528metadata:
529 name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
530 labels:
531 app: {{ include "cert-manager.name" . }}
532 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
533 app.kubernetes.io/instance: {{ .Release.Name }}
534 app.kubernetes.io/component: "cert-manager"
535 {{- include "labels" . | nindent 4 }}
536roleRef:
537 apiGroup: rbac.authorization.k8s.io
538 kind: ClusterRole
539 name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
540subjects:
541 - name: {{ template "cert-manager.serviceAccountName" . }}
542 namespace: {{ include "cert-manager.namespace" . }}
543 kind: ServiceAccount
544{{- end }}