217 lines
4.3 KiB
YAML
217 lines
4.3 KiB
YAML
{{- if .Values.managerRbac.create }}
|
|
{{- /*
|
|
This file contains the various namespace-scoped roles + bindings that the traffic-manager needs.
|
|
This will likely expand over time as we move more things from the clients
|
|
domain into the traffic-manager. But the good news there is that it will
|
|
require less permissions in clientRbac.yaml
|
|
*/}}
|
|
{{- $managerNamespace := include "traffic-manager.namespace" $}}
|
|
{{- $namespaces := fromJsonArray (include "traffic-manager.namespaces" $)}}
|
|
{{- if $namespaces }}
|
|
{{- $interceptEnabled := .Values.agentInjector.enabled}}
|
|
{{- $argoRolloutsEnabled := .Values.workloads.argoRollouts.enabled}}
|
|
{{- $allNamespaces := uniq (append $namespaces $managerNamespace)}}
|
|
|
|
{{- range $allNamespaces }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: traffic-manager
|
|
namespace: {{ . }}
|
|
labels:
|
|
{{- include "telepresence.labels" $ | nindent 4 }}
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
verbs:
|
|
- update {{/* Only needed for upgrade of older versions */}}
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
- pods
|
|
verbs:
|
|
- list
|
|
- get
|
|
- watch
|
|
{{- if $interceptEnabled }}
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods/eviction
|
|
verbs:
|
|
- create
|
|
{{- end }}
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods/log
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- list
|
|
- get
|
|
- watch
|
|
resourceNames:
|
|
{{- if eq . $managerNamespace }}
|
|
- {{ include "traffic-manager.name" $ }}
|
|
{{- end }}
|
|
- apiGroups:
|
|
- "apps"
|
|
resources:
|
|
- deployments
|
|
- replicasets
|
|
- statefulsets
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
{{- if $interceptEnabled }}
|
|
- patch
|
|
{{- end }}
|
|
{{- if $argoRolloutsEnabled }}
|
|
- apiGroups:
|
|
- "argoproj.io"
|
|
resources:
|
|
- rollouts
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
{{- if $interceptEnabled }}
|
|
- patch
|
|
{{- end }}
|
|
{{- end }}
|
|
- apiGroups:
|
|
- "events.k8s.io"
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- get
|
|
- watch
|
|
{{- if eq . $managerNamespace }}
|
|
{{- /* Must be able to get the manager namespace in order to get the install-id */}}
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- namespaces
|
|
resourceNames:
|
|
- {{ . }}
|
|
verbs:
|
|
- get
|
|
{{- if and (eq (int $.Capabilities.KubeVersion.Major) 1) (lt (int $.Capabilities.KubeVersion.Minor) 33) }}
|
|
{{- /*
|
|
Must be able to make an unsuccessful attempt to create a dummy service in order to receive
|
|
the error message containing correct service CIDR
|
|
*/}}
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
verbs:
|
|
- create
|
|
{{- end }}
|
|
{{- end }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: traffic-manager
|
|
namespace: {{ . }}
|
|
labels:
|
|
{{- include "telepresence.labels" $ | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: traffic-manager
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: traffic-manager
|
|
namespace: {{ $managerNamespace }}
|
|
{{- end }}
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: traffic-manager-cluster-wide-{{ $managerNamespace }}
|
|
labels:
|
|
{{- include "telepresence.labels" $ | nindent 4 }}
|
|
rules:
|
|
- apiGroups:
|
|
- "networking.k8s.io"
|
|
resources:
|
|
- servicecidrs
|
|
verbs:
|
|
- list
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: traffic-manager-cluster-wide-{{ $managerNamespace }}
|
|
labels:
|
|
{{- include "telepresence.labels" $ | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: traffic-manager-cluster-wide-{{ $managerNamespace }}
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: traffic-manager
|
|
namespace: {{ $managerNamespace }}
|
|
{{- else }}
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
namespace: {{ $managerNamespace }}
|
|
name: traffic-manager
|
|
labels:
|
|
{{- include "telepresence.labels" $ | nindent 4 }}
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
verbs:
|
|
- create
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
resourceNames:
|
|
- {{ include "traffic-manager.name" $ }}
|
|
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: traffic-manager
|
|
namespace: {{ $managerNamespace }}
|
|
labels:
|
|
{{- include "telepresence.labels" $ | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: traffic-manager
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: traffic-manager
|
|
namespace: {{ $managerNamespace }}
|
|
{{- end }}
|
|
|
|
{{- end }}
|