Blame - charts/metallb/templates/rbac.yaml - pcloud

blob: ed6b8260c028f108462bacd681bab9ca626e6c2e [file] [log] [blame]

Giorgi Lekveishvili	285ab62	2023-11-22 13:50:45 +0400	[diff] [blame^]	1	{{- if .Values.rbac.create -}}
				2	apiVersion: rbac.authorization.k8s.io/v1
				3	kind: ClusterRole
				4	metadata:
				5	name: {{ template "metallb.fullname" . }}:controller
				6	labels:
				7	{{- include "metallb.labels" . \| nindent 4 }}
				8	rules:
				9	- apiGroups: [""]
				10	resources: ["services", "namespaces"]
				11	verbs: ["get", "list", "watch"]
				12	- apiGroups: [""]
				13	resources: ["nodes"]
				14	verbs: ["list"]
				15	- apiGroups: [""]
				16	resources: ["services/status"]
				17	verbs: ["update"]
				18	- apiGroups: [""]
				19	resources: ["events"]
				20	verbs: ["create", "patch"]
				21	- apiGroups: ["admissionregistration.k8s.io"]
				22	resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
				23	resourceNames: ["metallb-webhook-configuration"]
				24	verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
				25	- apiGroups: ["admissionregistration.k8s.io"]
				26	resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
				27	verbs: ["list", "watch"]
				28	- apiGroups: ["apiextensions.k8s.io"]
				29	resources: ["customresourcedefinitions"]
				30	resourceNames: ["addresspools.metallb.io","bfdprofiles.metallb.io","bgpadvertisements.metallb.io",
				31	"bgppeers.metallb.io","ipaddresspools.metallb.io","l2advertisements.metallb.io","communities.metallb.io"]
				32	verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
				33	- apiGroups: ["apiextensions.k8s.io"]
				34	resources: ["customresourcedefinitions"]
				35	verbs: ["list", "watch"]
				36	{{- if .Values.prometheus.secureMetricsPort }}
				37	- apiGroups: ["authentication.k8s.io"]
				38	resources: ["tokenreviews"]
				39	verbs: ["create"]
				40	- apiGroups: ["authorization.k8s.io"]
				41	resources: ["subjectaccessreviews"]
				42	verbs: ["create"]
				43	{{- end }}
				44	---
				45	apiVersion: rbac.authorization.k8s.io/v1
				46	kind: ClusterRole
				47	metadata:
				48	name: {{ template "metallb.fullname" . }}:speaker
				49	labels:
				50	{{- include "metallb.labels" . \| nindent 4 }}
				51	rules:
				52	- apiGroups: [""]
				53	resources: ["services", "endpoints", "nodes", "namespaces"]
				54	verbs: ["get", "list", "watch"]
				55	- apiGroups: ["discovery.k8s.io"]
				56	resources: ["endpointslices"]
				57	verbs: ["get", "list", "watch"]
				58	- apiGroups: [""]
				59	resources: ["events"]
				60	verbs: ["create", "patch"]
				61	{{- if .Values.prometheus.secureMetricsPort }}
				62	- apiGroups: ["authentication.k8s.io"]
				63	resources: ["tokenreviews"]
				64	verbs: ["create"]
				65	- apiGroups: ["authorization.k8s.io"]
				66	resources: ["subjectaccessreviews"]
				67	verbs: ["create"]
				68	{{- end }}
				69	---
				70	apiVersion: rbac.authorization.k8s.io/v1
				71	kind: Role
				72	metadata:
				73	name: {{ include "metallb.fullname" . }}-pod-lister
				74	namespace: {{ .Release.Namespace \| quote }}
				75	labels: {{- include "metallb.labels" . \| nindent 4 }}
				76	rules:
				77	- apiGroups: [""]
				78	resources: ["pods"]
				79	verbs: ["list"]
				80	- apiGroups: [""]
				81	resources: ["secrets"]
				82	verbs: ["get", "list", "watch"]
				83	- apiGroups: [""]
				84	resources: ["configmaps"]
				85	verbs: ["get", "list", "watch"]
				86	- apiGroups: ["metallb.io"]
				87	resources: ["addresspools"]
				88	verbs: ["get", "list", "watch"]
				89	- apiGroups: ["metallb.io"]
				90	resources: ["bfdprofiles"]
				91	verbs: ["get", "list", "watch"]
				92	- apiGroups: ["metallb.io"]
				93	resources: ["bgppeers"]
				94	verbs: ["get", "list", "watch"]
				95	- apiGroups: ["metallb.io"]
				96	resources: ["l2advertisements"]
				97	verbs: ["get", "list", "watch"]
				98	- apiGroups: ["metallb.io"]
				99	resources: ["bgpadvertisements"]
				100	verbs: ["get", "list", "watch"]
				101	- apiGroups: ["metallb.io"]
				102	resources: ["ipaddresspools"]
				103	verbs: ["get", "list", "watch"]
				104	- apiGroups: ["metallb.io"]
				105	resources: ["communities"]
				106	verbs: ["get", "list", "watch"]
				107	---
				108	apiVersion: rbac.authorization.k8s.io/v1
				109	kind: Role
				110	metadata:
				111	name: {{ include "metallb.fullname" . }}-controller
				112	namespace: {{ .Release.Namespace \| quote }}
				113	labels: {{- include "metallb.labels" . \| nindent 4 }}
				114	rules:
				115	{{- if .Values.speaker.memberlist.enabled }}
				116	- apiGroups: [""]
				117	resources: ["secrets"]
				118	verbs: ["create", "get", "list", "watch"]
				119	- apiGroups: [""]
				120	resources: ["secrets"]
				121	resourceNames: [{{ include "metallb.secretName" . \| quote }}]
				122	verbs: ["list"]
				123	- apiGroups: ["apps"]
				124	resources: ["deployments"]
				125	resourceNames: ["{{ template "metallb.fullname" . }}-controller"]
				126	verbs: ["get"]
				127	{{- end }}
				128	- apiGroups: [""]
				129	resources: ["secrets"]
				130	verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
				131	- apiGroups: ["metallb.io"]
				132	resources: ["addresspools"]
				133	verbs: ["get", "list", "watch"]
				134	- apiGroups: ["metallb.io"]
				135	resources: ["ipaddresspools"]
				136	verbs: ["get", "list", "watch"]
				137	- apiGroups: ["metallb.io"]
				138	resources: ["bgppeers"]
				139	verbs: ["get", "list"]
				140	- apiGroups: ["metallb.io"]
				141	resources: ["bgpadvertisements"]
				142	verbs: ["get", "list"]
				143	- apiGroups: ["metallb.io"]
				144	resources: ["l2advertisements"]
				145	verbs: ["get", "list"]
				146	- apiGroups: ["metallb.io"]
				147	resources: ["communities"]
				148	verbs: ["get", "list","watch"]
				149	- apiGroups: ["metallb.io"]
				150	resources: ["bfdprofiles"]
				151	verbs: ["get", "list","watch"]
				152	---
				153	apiVersion: rbac.authorization.k8s.io/v1
				154	kind: ClusterRoleBinding
				155	metadata:
				156	name: {{ template "metallb.fullname" . }}:controller
				157	labels:
				158	{{- include "metallb.labels" . \| nindent 4 }}
				159	subjects:
				160	- kind: ServiceAccount
				161	name: {{ template "metallb.controller.serviceAccountName" . }}
				162	namespace: {{ .Release.Namespace }}
				163	roleRef:
				164	apiGroup: rbac.authorization.k8s.io
				165	kind: ClusterRole
				166	name: {{ template "metallb.fullname" . }}:controller
				167	---
				168	apiVersion: rbac.authorization.k8s.io/v1
				169	kind: ClusterRoleBinding
				170	metadata:
				171	name: {{ template "metallb.fullname" . }}:speaker
				172	labels:
				173	{{- include "metallb.labels" . \| nindent 4 }}
				174	subjects:
				175	- kind: ServiceAccount
				176	name: {{ template "metallb.speaker.serviceAccountName" . }}
				177	namespace: {{ .Release.Namespace }}
				178	roleRef:
				179	apiGroup: rbac.authorization.k8s.io
				180	kind: ClusterRole
				181	name: {{ template "metallb.fullname" . }}:speaker
				182	---
				183	apiVersion: rbac.authorization.k8s.io/v1
				184	kind: RoleBinding
				185	metadata:
				186	name: {{ include "metallb.fullname" . }}-pod-lister
				187	namespace: {{ .Release.Namespace \| quote }}
				188	labels: {{- include "metallb.labels" . \| nindent 4 }}
				189	roleRef:
				190	apiGroup: rbac.authorization.k8s.io
				191	kind: Role
				192	name: {{ include "metallb.fullname" . }}-pod-lister
				193	subjects:
				194	- kind: ServiceAccount
				195	name: {{ include "metallb.speaker.serviceAccountName" . }}
				196	---
				197	apiVersion: rbac.authorization.k8s.io/v1
				198	kind: RoleBinding
				199	metadata:
				200	name: {{ include "metallb.fullname" . }}-controller
				201	namespace: {{ .Release.Namespace \| quote }}
				202	labels: {{- include "metallb.labels" . \| nindent 4 }}
				203	roleRef:
				204	apiGroup: rbac.authorization.k8s.io
				205	kind: Role
				206	name: {{ include "metallb.fullname" . }}-controller
				207	subjects:
				208	- kind: ServiceAccount
				209	name: {{ include "metallb.controller.serviceAccountName" . }}
				210	{{- end -}}