Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / ec0f3bba7f213145ce22984cecefaef657745698 / . / charts / cert-manager / templates / rbac.yaml
blob: 361b1a223cd8fd1e34a2ea5976e908819848f16d [file] [log] [blame]
Giorgi Lekveishvilid1234c12023-06-19 10:37:06 +0400[diff] [blame]1{{- if .Values.global.rbac.create }}
2apiVersion: rbac.authorization.k8s.io/v1
3kind: Role
4metadata:
5 name: {{ template "cert-manager.fullname" . }}:leaderelection
6 namespace: {{ .Values.global.leaderElection.namespace }}
7 labels:
8 app: {{ include "cert-manager.name" . }}
9 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
10 app.kubernetes.io/instance: {{ .Release.Name }}
11 app.kubernetes.io/component: "controller"
12 {{- include "labels" . | nindent 4 }}
13rules:
14 - apiGroups: ["coordination.k8s.io"]
15 resources: ["leases"]
16 resourceNames: ["cert-manager-controller"]
17 verbs: ["get", "update", "patch"]
18 - apiGroups: ["coordination.k8s.io"]
19 resources: ["leases"]
20 verbs: ["create"]
21
22---
23
24# grant cert-manager permission to manage the leaderelection configmap in the
25# leader election namespace
26apiVersion: rbac.authorization.k8s.io/v1
27kind: RoleBinding
28metadata:
29 name: {{ include "cert-manager.fullname" . }}:leaderelection
30 namespace: {{ .Values.global.leaderElection.namespace }}
31 labels:
32 app: {{ include "cert-manager.name" . }}
33 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
34 app.kubernetes.io/instance: {{ .Release.Name }}
35 app.kubernetes.io/component: "controller"
36 {{- include "labels" . | nindent 4 }}
37roleRef:
38 apiGroup: rbac.authorization.k8s.io
39 kind: Role
40 name: {{ template "cert-manager.fullname" . }}:leaderelection
41subjects:
42 - apiGroup: ""
43 kind: ServiceAccount
44 name: {{ template "cert-manager.serviceAccountName" . }}
45 namespace: {{ include "cert-manager.namespace" . }}
46
47---
48
49# Issuer controller role
50apiVersion: rbac.authorization.k8s.io/v1
51kind: ClusterRole
52metadata:
53 name: {{ template "cert-manager.fullname" . }}-controller-issuers
54 labels:
55 app: {{ include "cert-manager.name" . }}
56 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
57 app.kubernetes.io/instance: {{ .Release.Name }}
58 app.kubernetes.io/component: "controller"
59 {{- include "labels" . | nindent 4 }}
60rules:
61 - apiGroups: ["cert-manager.io"]
62 resources: ["issuers", "issuers/status"]
63 verbs: ["update", "patch"]
64 - apiGroups: ["cert-manager.io"]
65 resources: ["issuers"]
66 verbs: ["get", "list", "watch"]
67 - apiGroups: [""]
68 resources: ["secrets"]
69 verbs: ["get", "list", "watch", "create", "update", "delete"]
70 - apiGroups: [""]
71 resources: ["events"]
72 verbs: ["create", "patch"]
73
74---
75
76# ClusterIssuer controller role
77apiVersion: rbac.authorization.k8s.io/v1
78kind: ClusterRole
79metadata:
80 name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
81 labels:
82 app: {{ include "cert-manager.name" . }}
83 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
84 app.kubernetes.io/instance: {{ .Release.Name }}
85 app.kubernetes.io/component: "controller"
86 {{- include "labels" . | nindent 4 }}
87rules:
88 - apiGroups: ["cert-manager.io"]
89 resources: ["clusterissuers", "clusterissuers/status"]
90 verbs: ["update", "patch"]
91 - apiGroups: ["cert-manager.io"]
92 resources: ["clusterissuers"]
93 verbs: ["get", "list", "watch"]
94 - apiGroups: [""]
95 resources: ["secrets"]
96 verbs: ["get", "list", "watch", "create", "update", "delete"]
97 - apiGroups: [""]
98 resources: ["events"]
99 verbs: ["create", "patch"]
100
101---
102
103# Certificates controller role
104apiVersion: rbac.authorization.k8s.io/v1
105kind: ClusterRole
106metadata:
107 name: {{ template "cert-manager.fullname" . }}-controller-certificates
108 labels:
109 app: {{ include "cert-manager.name" . }}
110 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
111 app.kubernetes.io/instance: {{ .Release.Name }}
112 app.kubernetes.io/component: "controller"
113 {{- include "labels" . | nindent 4 }}
114rules:
115 - apiGroups: ["cert-manager.io"]
116 resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
117 verbs: ["update", "patch"]
118 - apiGroups: ["cert-manager.io"]
119 resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
120 verbs: ["get", "list", "watch"]
121 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
122 # admission controller enabled:
123 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
124 - apiGroups: ["cert-manager.io"]
125 resources: ["certificates/finalizers", "certificaterequests/finalizers"]
126 verbs: ["update"]
127 - apiGroups: ["acme.cert-manager.io"]
128 resources: ["orders"]
129 verbs: ["create", "delete", "get", "list", "watch"]
130 - apiGroups: [""]
131 resources: ["secrets"]
132 verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
133 - apiGroups: [""]
134 resources: ["events"]
135 verbs: ["create", "patch"]
136
137---
138
139# Orders controller role
140apiVersion: rbac.authorization.k8s.io/v1
141kind: ClusterRole
142metadata:
143 name: {{ template "cert-manager.fullname" . }}-controller-orders
144 labels:
145 app: {{ include "cert-manager.name" . }}
146 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
147 app.kubernetes.io/instance: {{ .Release.Name }}
148 app.kubernetes.io/component: "controller"
149 {{- include "labels" . | nindent 4 }}
150rules:
151 - apiGroups: ["acme.cert-manager.io"]
152 resources: ["orders", "orders/status"]
153 verbs: ["update", "patch"]
154 - apiGroups: ["acme.cert-manager.io"]
155 resources: ["orders", "challenges"]
156 verbs: ["get", "list", "watch"]
157 - apiGroups: ["cert-manager.io"]
158 resources: ["clusterissuers", "issuers"]
159 verbs: ["get", "list", "watch"]
160 - apiGroups: ["acme.cert-manager.io"]
161 resources: ["challenges"]
162 verbs: ["create", "delete"]
163 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
164 # admission controller enabled:
165 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
166 - apiGroups: ["acme.cert-manager.io"]
167 resources: ["orders/finalizers"]
168 verbs: ["update"]
169 - apiGroups: [""]
170 resources: ["secrets"]
171 verbs: ["get", "list", "watch"]
172 - apiGroups: [""]
173 resources: ["events"]
174 verbs: ["create", "patch"]
175
176---
177
178# Challenges controller role
179apiVersion: rbac.authorization.k8s.io/v1
180kind: ClusterRole
181metadata:
182 name: {{ template "cert-manager.fullname" . }}-controller-challenges
183 labels:
184 app: {{ include "cert-manager.name" . }}
185 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
186 app.kubernetes.io/instance: {{ .Release.Name }}
187 app.kubernetes.io/component: "controller"
188 {{- include "labels" . | nindent 4 }}
189rules:
190 # Use to update challenge resource status
191 - apiGroups: ["acme.cert-manager.io"]
192 resources: ["challenges", "challenges/status"]
193 verbs: ["update", "patch"]
194 # Used to watch challenge resources
195 - apiGroups: ["acme.cert-manager.io"]
196 resources: ["challenges"]
197 verbs: ["get", "list", "watch"]
198 # Used to watch challenges, issuer and clusterissuer resources
199 - apiGroups: ["cert-manager.io"]
200 resources: ["issuers", "clusterissuers"]
201 verbs: ["get", "list", "watch"]
202 # Need to be able to retrieve ACME account private key to complete challenges
203 - apiGroups: [""]
204 resources: ["secrets"]
205 verbs: ["get", "list", "watch"]
206 # Used to create events
207 - apiGroups: [""]
208 resources: ["events"]
209 verbs: ["create", "patch"]
210 # HTTP01 rules
211 - apiGroups: [""]
212 resources: ["pods", "services"]
213 verbs: ["get", "list", "watch", "create", "delete"]
214 - apiGroups: ["networking.k8s.io"]
215 resources: ["ingresses"]
216 verbs: ["get", "list", "watch", "create", "delete", "update"]
217 - apiGroups: [ "gateway.networking.k8s.io" ]
218 resources: [ "httproutes" ]
219 verbs: ["get", "list", "watch", "create", "delete", "update"]
220 # We require the ability to specify a custom hostname when we are creating
221 # new ingress resources.
222 # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
223 - apiGroups: ["route.openshift.io"]
224 resources: ["routes/custom-host"]
225 verbs: ["create"]
226 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
227 # admission controller enabled:
228 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
229 - apiGroups: ["acme.cert-manager.io"]
230 resources: ["challenges/finalizers"]
231 verbs: ["update"]
232 # DNS01 rules (duplicated above)
233 - apiGroups: [""]
234 resources: ["secrets"]
235 verbs: ["get", "list", "watch"]
236
237---
238
239# ingress-shim controller role
240apiVersion: rbac.authorization.k8s.io/v1
241kind: ClusterRole
242metadata:
243 name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
244 labels:
245 app: {{ include "cert-manager.name" . }}
246 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
247 app.kubernetes.io/instance: {{ .Release.Name }}
248 app.kubernetes.io/component: "controller"
249 {{- include "labels" . | nindent 4 }}
250rules:
251 - apiGroups: ["cert-manager.io"]
252 resources: ["certificates", "certificaterequests"]
253 verbs: ["create", "update", "delete"]
254 - apiGroups: ["cert-manager.io"]
255 resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
256 verbs: ["get", "list", "watch"]
257 - apiGroups: ["networking.k8s.io"]
258 resources: ["ingresses"]
259 verbs: ["get", "list", "watch"]
260 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
261 # admission controller enabled:
262 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
263 - apiGroups: ["networking.k8s.io"]
264 resources: ["ingresses/finalizers"]
265 verbs: ["update"]
266 - apiGroups: ["gateway.networking.k8s.io"]
267 resources: ["gateways", "httproutes"]
268 verbs: ["get", "list", "watch"]
269 - apiGroups: ["gateway.networking.k8s.io"]
270 resources: ["gateways/finalizers", "httproutes/finalizers"]
271 verbs: ["update"]
272 - apiGroups: [""]
273 resources: ["events"]
274 verbs: ["create", "patch"]
275
276---
277
278apiVersion: rbac.authorization.k8s.io/v1
279kind: ClusterRoleBinding
280metadata:
281 name: {{ template "cert-manager.fullname" . }}-controller-issuers
282 labels:
283 app: {{ include "cert-manager.name" . }}
284 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
285 app.kubernetes.io/instance: {{ .Release.Name }}
286 app.kubernetes.io/component: "controller"
287 {{- include "labels" . | nindent 4 }}
288roleRef:
289 apiGroup: rbac.authorization.k8s.io
290 kind: ClusterRole
291 name: {{ template "cert-manager.fullname" . }}-controller-issuers
292subjects:
293 - name: {{ template "cert-manager.serviceAccountName" . }}
294 namespace: {{ include "cert-manager.namespace" . }}
295 kind: ServiceAccount
296
297---
298
299apiVersion: rbac.authorization.k8s.io/v1
300kind: ClusterRoleBinding
301metadata:
302 name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
303 labels:
304 app: {{ include "cert-manager.name" . }}
305 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
306 app.kubernetes.io/instance: {{ .Release.Name }}
307 app.kubernetes.io/component: "controller"
308 {{- include "labels" . | nindent 4 }}
309roleRef:
310 apiGroup: rbac.authorization.k8s.io
311 kind: ClusterRole
312 name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
313subjects:
314 - name: {{ template "cert-manager.serviceAccountName" . }}
315 namespace: {{ include "cert-manager.namespace" . }}
316 kind: ServiceAccount
317
318---
319
320apiVersion: rbac.authorization.k8s.io/v1
321kind: ClusterRoleBinding
322metadata:
323 name: {{ template "cert-manager.fullname" . }}-controller-certificates
324 labels:
325 app: {{ include "cert-manager.name" . }}
326 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
327 app.kubernetes.io/instance: {{ .Release.Name }}
328 app.kubernetes.io/component: "controller"
329 {{- include "labels" . | nindent 4 }}
330roleRef:
331 apiGroup: rbac.authorization.k8s.io
332 kind: ClusterRole
333 name: {{ template "cert-manager.fullname" . }}-controller-certificates
334subjects:
335 - name: {{ template "cert-manager.serviceAccountName" . }}
336 namespace: {{ include "cert-manager.namespace" . }}
337 kind: ServiceAccount
338
339---
340
341apiVersion: rbac.authorization.k8s.io/v1
342kind: ClusterRoleBinding
343metadata:
344 name: {{ template "cert-manager.fullname" . }}-controller-orders
345 labels:
346 app: {{ include "cert-manager.name" . }}
347 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
348 app.kubernetes.io/instance: {{ .Release.Name }}
349 app.kubernetes.io/component: "controller"
350 {{- include "labels" . | nindent 4 }}
351roleRef:
352 apiGroup: rbac.authorization.k8s.io
353 kind: ClusterRole
354 name: {{ template "cert-manager.fullname" . }}-controller-orders
355subjects:
356 - name: {{ template "cert-manager.serviceAccountName" . }}
357 namespace: {{ include "cert-manager.namespace" . }}
358 kind: ServiceAccount
359
360---
361
362apiVersion: rbac.authorization.k8s.io/v1
363kind: ClusterRoleBinding
364metadata:
365 name: {{ template "cert-manager.fullname" . }}-controller-challenges
366 labels:
367 app: {{ include "cert-manager.name" . }}
368 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
369 app.kubernetes.io/instance: {{ .Release.Name }}
370 app.kubernetes.io/component: "controller"
371 {{- include "labels" . | nindent 4 }}
372roleRef:
373 apiGroup: rbac.authorization.k8s.io
374 kind: ClusterRole
375 name: {{ template "cert-manager.fullname" . }}-controller-challenges
376subjects:
377 - name: {{ template "cert-manager.serviceAccountName" . }}
378 namespace: {{ include "cert-manager.namespace" . }}
379 kind: ServiceAccount
380
381---
382
383apiVersion: rbac.authorization.k8s.io/v1
384kind: ClusterRoleBinding
385metadata:
386 name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
387 labels:
388 app: {{ include "cert-manager.name" . }}
389 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
390 app.kubernetes.io/instance: {{ .Release.Name }}
391 app.kubernetes.io/component: "controller"
392 {{- include "labels" . | nindent 4 }}
393roleRef:
394 apiGroup: rbac.authorization.k8s.io
395 kind: ClusterRole
396 name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
397subjects:
398 - name: {{ template "cert-manager.serviceAccountName" . }}
399 namespace: {{ include "cert-manager.namespace" . }}
400 kind: ServiceAccount
401
402---
403
404apiVersion: rbac.authorization.k8s.io/v1
405kind: ClusterRole
406metadata:
407 name: {{ template "cert-manager.fullname" . }}-view
408 labels:
409 app: {{ include "cert-manager.name" . }}
410 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
411 app.kubernetes.io/instance: {{ .Release.Name }}
412 app.kubernetes.io/component: "controller"
413 {{- include "labels" . | nindent 4 }}
414 {{- if .Values.global.rbac.aggregateClusterRoles }}
415 rbac.authorization.k8s.io/aggregate-to-view: "true"
416 rbac.authorization.k8s.io/aggregate-to-edit: "true"
417 rbac.authorization.k8s.io/aggregate-to-admin: "true"
418 {{- end }}
419rules:
420 - apiGroups: ["cert-manager.io"]
421 resources: ["certificates", "certificaterequests", "issuers"]
422 verbs: ["get", "list", "watch"]
423 - apiGroups: ["acme.cert-manager.io"]
424 resources: ["challenges", "orders"]
425 verbs: ["get", "list", "watch"]
426
427
428---
429
430apiVersion: rbac.authorization.k8s.io/v1
431kind: ClusterRole
432metadata:
433 name: {{ template "cert-manager.fullname" . }}-edit
434 labels:
435 app: {{ include "cert-manager.name" . }}
436 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
437 app.kubernetes.io/instance: {{ .Release.Name }}
438 app.kubernetes.io/component: "controller"
439 {{- include "labels" . | nindent 4 }}
440 {{- if .Values.global.rbac.aggregateClusterRoles }}
441 rbac.authorization.k8s.io/aggregate-to-edit: "true"
442 rbac.authorization.k8s.io/aggregate-to-admin: "true"
443 {{- end }}
444rules:
445 - apiGroups: ["cert-manager.io"]
446 resources: ["certificates", "certificaterequests", "issuers"]
447 verbs: ["create", "delete", "deletecollection", "patch", "update"]
448 - apiGroups: ["cert-manager.io"]
449 resources: ["certificates/status"]
450 verbs: ["update"]
451 - apiGroups: ["acme.cert-manager.io"]
452 resources: ["challenges", "orders"]
453 verbs: ["create", "delete", "deletecollection", "patch", "update"]
454
455---
456
457# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
458apiVersion: rbac.authorization.k8s.io/v1
459kind: ClusterRole
460metadata:
461 name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
462 labels:
463 app: {{ include "cert-manager.name" . }}
464 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
465 app.kubernetes.io/instance: {{ .Release.Name }}
466 app.kubernetes.io/component: "cert-manager"
467 {{- include "labels" . | nindent 4 }}
468rules:
469 - apiGroups: ["cert-manager.io"]
470 resources: ["signers"]
471 verbs: ["approve"]
472 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
473
474---
475
476apiVersion: rbac.authorization.k8s.io/v1
477kind: ClusterRoleBinding
478metadata:
479 name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
480 labels:
481 app: {{ include "cert-manager.name" . }}
482 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
483 app.kubernetes.io/instance: {{ .Release.Name }}
484 app.kubernetes.io/component: "cert-manager"
485 {{- include "labels" . | nindent 4 }}
486roleRef:
487 apiGroup: rbac.authorization.k8s.io
488 kind: ClusterRole
489 name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
490subjects:
491 - name: {{ template "cert-manager.serviceAccountName" . }}
492 namespace: {{ include "cert-manager.namespace" . }}
493 kind: ServiceAccount
494
495---
496
497# Permission to:
498# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
499# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
500apiVersion: rbac.authorization.k8s.io/v1
501kind: ClusterRole
502metadata:
503 name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
504 labels:
505 app: {{ include "cert-manager.name" . }}
506 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
507 app.kubernetes.io/instance: {{ .Release.Name }}
508 app.kubernetes.io/component: "cert-manager"
509 {{- include "labels" . | nindent 4 }}
510rules:
511 - apiGroups: ["certificates.k8s.io"]
512 resources: ["certificatesigningrequests"]
513 verbs: ["get", "list", "watch", "update"]
514 - apiGroups: ["certificates.k8s.io"]
515 resources: ["certificatesigningrequests/status"]
516 verbs: ["update", "patch"]
517 - apiGroups: ["certificates.k8s.io"]
518 resources: ["signers"]
519 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
520 verbs: ["sign"]
521 - apiGroups: ["authorization.k8s.io"]
522 resources: ["subjectaccessreviews"]
523 verbs: ["create"]
524
525---
526
527apiVersion: rbac.authorization.k8s.io/v1
528kind: ClusterRoleBinding
529metadata:
530 name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
531 labels:
532 app: {{ include "cert-manager.name" . }}
533 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
534 app.kubernetes.io/instance: {{ .Release.Name }}
535 app.kubernetes.io/component: "cert-manager"
536 {{- include "labels" . | nindent 4 }}
537roleRef:
538 apiGroup: rbac.authorization.k8s.io
539 kind: ClusterRole
540 name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
541subjects:
542 - name: {{ template "cert-manager.serviceAccountName" . }}
543 namespace: {{ include "cert-manager.namespace" . }}
544 kind: ServiceAccount
545{{- end }}