#@ load("@ytt:data", "data") --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: #@ data.values.app_name + "-aggregated-api-server-cluster-role" rules: - apiGroups: [""] resources: [namespaces] verbs: [get, list, watch] - apiGroups: [apiregistration.k8s.io] resources: [apiservices] verbs: [create, get, list, patch, update, watch] - apiGroups: [admissionregistration.k8s.io] resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations] verbs: [get, list, watch] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-aggregated-api-server-cluster-role-binding" subjects: - kind: ServiceAccount name: #@ data.values.app_name + "-service-account" namespace: #@ data.values.namespace roleRef: kind: ClusterRole name: #@ data.values.app_name + "-aggregated-api-server-cluster-role" apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: #@ data.values.app_name + "-aggregated-api-server-role" namespace: #@ data.values.namespace rules: - apiGroups: [""] resources: [services] verbs: [create, get, list, patch, update, watch] - apiGroups: [placeholder.suzerain-io.github.io] resources: [logindiscoveryconfigs] verbs: [create, get, list, update, watch] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-aggregated-api-server-role-binding" namespace: #@ data.values.namespace subjects: - kind: ServiceAccount name: #@ data.values.app_name + "-service-account" namespace: #@ data.values.namespace roleRef: kind: Role name: #@ data.values.app_name + "-aggregated-api-server-role" apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: #@ data.values.app_name + "-loginrequests-cluster-role" rules: - apiGroups: [placeholder.suzerain-io.github.io] resources: [loginrequests] verbs: [create] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-loginrequests-cluster-role-binding" subjects: #! both authenticated and unauthenticated requests (i.e. all requests) should be allowed - kind: Group name: system:authenticated apiGroup: rbac.authorization.k8s.io - kind: Group name: system:unauthenticated apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: #@ data.values.app_name + "-loginrequests-cluster-role" apiGroup: rbac.authorization.k8s.io --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-service-account-cluster-role-binding" namespace: #@ data.values.namespace subjects: - kind: ServiceAccount name: #@ data.values.app_name + "-service-account" namespace: #@ data.values.namespace roleRef: kind: ClusterRole #! give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers name: system:auth-delegator apiGroup: rbac.authorization.k8s.io --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-extension-apiserver-authentication-reader-role-binding" namespace: kube-system subjects: - kind: ServiceAccount name: #@ data.values.app_name + "-service-account" namespace: #@ data.values.namespace roleRef: kind: Role #! give permissions for a special configmap of CA bundles that is needed by aggregated api servers name: extension-apiserver-authentication-reader apiGroup: rbac.authorization.k8s.io --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-cluster-info-lister-watcher-role" namespace: kube-public rules: - apiGroups: [""] resources: [configmaps] verbs: [list, watch] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-cluster-info-lister-watcher-role-binding" namespace: kube-public subjects: - kind: ServiceAccount name: #@ data.values.app_name + "-service-account" namespace: #@ data.values.namespace roleRef: kind: Role name: #@ data.values.app_name + "-cluster-info-lister-watcher-role" apiGroup: rbac.authorization.k8s.io