44 lines
1.0 KiB
YAML
44 lines
1.0 KiB
YAML
{{- with .Values.clientRbac }}
|
|
{{- if .create }}
|
|
{{- /*
|
|
Client must have the following RBAC in the traffic-manager.namespace to establish
|
|
a port-forward to the traffic-manager pod.
|
|
*/}}
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: traffic-manager-connect
|
|
namespace: {{ include "traffic-manager.namespace" $ }}
|
|
labels:
|
|
{{- include "telepresence.labels" $ | nindent 4 }}
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "list"]
|
|
- apiGroups: [""]
|
|
resources: ["services"]
|
|
resourceNames:
|
|
- {{ include "traffic-manager.name" $ }}
|
|
verbs: ["get"]
|
|
- apiGroups: [""]
|
|
resources: ["pods/portforward"]
|
|
verbs: ["create"]
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: traffic-manager-connect
|
|
namespace: {{ include "traffic-manager.namespace" $ }}
|
|
labels:
|
|
{{- include "telepresence.labels" $ | nindent 4 }}
|
|
subjects:
|
|
{{ toYaml .subjects }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
name: traffic-manager-connect
|
|
kind: Role
|
|
|
|
{{- end }}
|
|
{{- end }}
|