Blame - charts/cert-manager-webhook-pcloud/templates/rbac.yaml - pcloud

blob: acd44c1127271bddbb90a93e637fd60b9942ef94 [file] [log] [blame]

Giorgi Lekveishvili	ae1a4a4	2023-12-07 13:23:17 +0400	[diff] [blame]	1	apiVersion: v1
				2	kind: ServiceAccount
				3	metadata:
				4	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
				5	namespace: {{ .Values.certManager.namespace \| quote }}
				6	labels:
				7	app: {{ include "cert-manager-webhook-pcloud.name" . }}
				8	chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
				9	release: {{ .Release.Name }}
				10	heritage: {{ .Release.Service }}
				11	---
				12	# Grant the webhook permission to read the ConfigMap containing the Kubernetes
				13	# apiserver's requestheader-ca-certificate
				14	# This ConfigMap is automatically created by the Kubernetes apiserver
				15	apiVersion: rbac.authorization.k8s.io/v1
				16	kind: RoleBinding
				17	metadata:
				18	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:webhook-authentication-reader
				19	namespace: kube-system
				20	labels:
				21	app: {{ include "cert-manager-webhook-pcloud.name" . }}
				22	chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
				23	release: {{ .Release.Name }}
				24	heritage: {{ .Release.Service }}
				25	roleRef:
				26	apiGroup: rbac.authorization.k8s.io
				27	kind: Role
				28	name: extension-apiserver-authentication-reader
				29	subjects:
				30	- apiGroup: ""
				31	kind: ServiceAccount
				32	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
				33	namespace: {{ .Values.certManager.namespace \| quote }}
				34	---
				35	# apiserver gets the auth-delegator role to delegate auth decisions to
				36	# the core apiserver
				37	apiVersion: rbac.authorization.k8s.io/v1
				38	kind: ClusterRoleBinding
				39	metadata:
				40	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:auth-delegator
				41	labels:
				42	app: {{ include "cert-manager-webhook-pcloud.name" . }}
				43	chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
				44	release: {{ .Release.Name }}
				45	heritage: {{ .Release.Service }}
				46	roleRef:
				47	apiGroup: rbac.authorization.k8s.io
				48	kind: ClusterRole
				49	name: system:auth-delegator
				50	subjects:
				51	- apiGroup: ""
				52	kind: ServiceAccount
				53	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
				54	namespace: {{ .Values.certManager.namespace \| quote}}
				55	---
				56	# Grant cert-manager permission to validate using our apiserver
				57	apiVersion: rbac.authorization.k8s.io/v1
				58	kind: ClusterRole
				59	metadata:
				60	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:domain-solver
				61	labels:
				62	app: {{ include "cert-manager-webhook-pcloud.name" . }}
				63	chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
				64	release: {{ .Release.Name }}
				65	heritage: {{ .Release.Service }}
				66	rules:
				67	- apiGroups:
Giorgi Lekveishvili	5c2c0b9	2023-12-07 17:35:40 +0400	[diff] [blame]	68	- {{ .Values.apiGroupName }}
Giorgi Lekveishvili	ae1a4a4	2023-12-07 13:23:17 +0400	[diff] [blame]	69	resources:
				70	- "*"
				71	verbs:
				72	- "create"
				73	---
				74	apiVersion: rbac.authorization.k8s.io/v1
				75	kind: ClusterRoleBinding
				76	metadata:
				77	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:domain-solver
				78	labels:
				79	app: {{ include "cert-manager-webhook-pcloud.name" . }}
				80	chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
				81	release: {{ .Release.Name }}
				82	heritage: {{ .Release.Service }}
				83	roleRef:
				84	apiGroup: rbac.authorization.k8s.io
				85	kind: ClusterRole
				86	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:domain-solver
				87	subjects:
				88	- apiGroup: ""
				89	kind: ServiceAccount
				90	name: {{ .Values.certManager.serviceAccountName }}
				91	namespace: {{ .Values.certManager.namespace \| quote }}
				92	---
				93	apiVersion: rbac.authorization.k8s.io/v1
				94	kind: Role
				95	metadata:
				96	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:secret-reader
				97	namespace: {{ .Values.certManager.namespace \| quote }}
				98	rules:
				99	- apiGroups:
				100	- ""
				101	resources:
				102	- "secrets"
				103	resourceNames:
				104	- "pcloud-credentials"
				105	verbs:
				106	- "get"
				107	- "watch"
				108	---
				109	apiVersion: rbac.authorization.k8s.io/v1
				110	kind: RoleBinding
				111	metadata:
				112	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:secret-reader
				113	namespace: {{ .Values.certManager.namespace \| quote }}
				114	roleRef:
				115	apiGroup: rbac.authorization.k8s.io
				116	kind: Role
				117	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:secret-reader
				118	subjects:
				119	- apiGroup: ""
				120	kind: ServiceAccount
				121	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
				122	namespace: {{ .Values.certManager.namespace \| quote }}
Giorgi Lekveishvili	5c2c0b9	2023-12-07 17:35:40 +0400	[diff] [blame]	123	---
				124	# TODO(gio): limit access by resourceNames
				125	apiVersion: rbac.authorization.k8s.io/v1
				126	kind: ClusterRole
				127	metadata:
				128	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:api-configmap-reader
				129	rules:
				130	- apiGroups:
				131	- ""
				132	resources:
				133	- "configmaps"
				134	verbs:
				135	- "get"
				136	- "watch"
				137	---
				138	apiVersion: rbac.authorization.k8s.io/v1
				139	kind: ClusterRoleBinding
				140	metadata:
				141	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:api-configmap-reader
				142	roleRef:
				143	apiGroup: rbac.authorization.k8s.io
				144	kind: ClusterRole
				145	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:api-configmap-reader
				146	subjects:
				147	- apiGroup: ""
				148	kind: ServiceAccount
				149	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
				150	namespace: {{ .Values.certManager.namespace \| quote }}
Giorgi Lekveishvili	ae1a4a4	2023-12-07 13:23:17 +0400	[diff] [blame]	151	{{- if .Values.features.apiPriorityAndFairness }}
				152	---
				153	# Grant cert-manager-webhook-pcloud permission to read the flow control mechanism (APF)
				154	# API Priority and Fairness is enabled by default in Kubernetes 1.20
				155	# https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
				156	apiVersion: rbac.authorization.k8s.io/v1
				157	kind: ClusterRole
				158	metadata:
				159	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:flowcontrol-solver
				160	labels:
				161	app: {{ include "cert-manager-webhook-pcloud.name" . }}
				162	chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
				163	release: {{ .Release.Name }}
				164	heritage: {{ .Release.Service }}
				165	rules:
				166	- apiGroups:
				167	- "flowcontrol.apiserver.k8s.io"
				168	resources:
				169	- "prioritylevelconfigurations"
				170	- "flowschemas"
				171	verbs:
				172	- "list"
				173	- "watch"
				174	---
				175	apiVersion: rbac.authorization.k8s.io/v1
				176	kind: ClusterRoleBinding
				177	metadata:
				178	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:flowcontrol-solver
				179	labels:
				180	app: {{ include "cert-manager-webhook-pcloud.name" . }}
				181	chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
				182	release: {{ .Release.Name }}
				183	heritage: {{ .Release.Service }}
				184	roleRef:
				185	apiGroup: rbac.authorization.k8s.io
				186	kind: ClusterRole
				187	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:flowcontrol-solver
				188	subjects:
				189	- apiGroup: ""
				190	kind: ServiceAccount
				191	name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
				192	namespace: {{ .Values.certManager.namespace \| quote }}
Giorgi Lekveishvili	5c2c0b9	2023-12-07 17:35:40 +0400	[diff] [blame]	193	{{- end }}