#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") #@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "pinnipedDevAPIGroupWithPrefix") #! Give permission to various objects within the app's own namespace --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: #@ defaultResourceName() namespace: #@ namespace() labels: #@ labels() rules: - apiGroups: [""] resources: [secrets] verbs: [create, get, list, patch, update, watch, delete] - apiGroups: - #@ pinnipedDevAPIGroupWithPrefix("config.supervisor") resources: [federationdomains] verbs: [get, list, watch] - apiGroups: - #@ pinnipedDevAPIGroupWithPrefix("config.supervisor") resources: [federationdomains/status] verbs: [get, patch, update] - apiGroups: - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") resources: [oidcidentityproviders] verbs: [get, list, watch] - apiGroups: - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") resources: [oidcidentityproviders/status] verbs: [get, patch, update] - apiGroups: - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") resources: [ldapidentityproviders] verbs: [get, list, watch] - apiGroups: - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") resources: [ldapidentityproviders/status] verbs: [get, patch, update] - apiGroups: - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") resources: [activedirectoryidentityproviders] verbs: [get, list, watch] - apiGroups: - #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor") resources: [activedirectoryidentityproviders/status] verbs: [get, patch, update] #! We want to be able to read pods/replicasets/deployment so we can learn who our deployment is to set #! as an owner reference. - apiGroups: [""] resources: [pods] verbs: [get] - apiGroups: [apps] resources: [replicasets,deployments] verbs: [get] - apiGroups: [ coordination.k8s.io ] resources: [ leases ] verbs: [ create, get, update ] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ defaultResourceName() namespace: #@ namespace() labels: #@ labels() subjects: - kind: ServiceAccount name: #@ defaultResourceName() namespace: #@ namespace() roleRef: kind: Role name: #@ defaultResourceName() apiGroup: rbac.authorization.k8s.io #! Give permissions for a special configmap of CA bundles that is needed by aggregated api servers --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ defaultResourceNameWithSuffix("extension-apiserver-authentication-reader") namespace: kube-system labels: #@ labels() subjects: - kind: ServiceAccount name: #@ defaultResourceName() namespace: #@ namespace() roleRef: kind: Role name: extension-apiserver-authentication-reader apiGroup: rbac.authorization.k8s.io #! Give permission to list and watch ConfigMaps in kube-public --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher") namespace: kube-public labels: #@ labels() rules: - apiGroups: [ "" ] resources: [ configmaps ] verbs: [ list, watch ] #! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ defaultResourceName() labels: #@ labels() subjects: - kind: ServiceAccount name: #@ defaultResourceName() namespace: #@ namespace() roleRef: kind: ClusterRole name: system:auth-delegator apiGroup: rbac.authorization.k8s.io --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher") namespace: kube-public labels: #@ labels() subjects: - kind: ServiceAccount name: #@ defaultResourceName() namespace: #@ namespace() roleRef: kind: Role name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher") apiGroup: rbac.authorization.k8s.io #! Give permission to various cluster-scoped objects --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: #@ defaultResourceNameWithSuffix("aggregated-api-server") labels: #@ labels() rules: - apiGroups: [ "" ] resources: [ namespaces ] verbs: [ get, list, watch ] - apiGroups: [ apiregistration.k8s.io ] resources: [ apiservices ] verbs: [ get, list, patch, update, watch ] - apiGroups: [ admissionregistration.k8s.io ] resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ] verbs: [ get, list, watch ] - apiGroups: [ flowcontrol.apiserver.k8s.io ] resources: [ flowschemas, prioritylevelconfigurations ] verbs: [ get, list, watch ] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ defaultResourceNameWithSuffix("aggregated-api-server") labels: #@ labels() subjects: - kind: ServiceAccount name: #@ defaultResourceName() namespace: #@ namespace() roleRef: kind: ClusterRole name: #@ defaultResourceNameWithSuffix("aggregated-api-server") apiGroup: rbac.authorization.k8s.io