#! Copyright 2020 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") #! Give permission to various cluster-scoped objects --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: #@ data.values.app_name + "-aggregated-api-server-cluster-role" rules: - apiGroups: [""] resources: [namespaces] verbs: [get, list, watch] - apiGroups: [apiregistration.k8s.io] resources: [apiservices] verbs: [create, get, list, patch, update, watch] - apiGroups: [admissionregistration.k8s.io] resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations] verbs: [get, list, watch] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-aggregated-api-server-cluster-role-binding" subjects: - kind: ServiceAccount name: #@ data.values.app_name + "-service-account" namespace: #@ data.values.namespace roleRef: kind: ClusterRole name: #@ data.values.app_name + "-aggregated-api-server-cluster-role" apiGroup: rbac.authorization.k8s.io #! Give permission to various objects within the app's own namespace --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: #@ data.values.app_name + "-aggregated-api-server-role" namespace: #@ data.values.namespace rules: - apiGroups: [""] resources: [services] verbs: [create, get, list, patch, update, watch] - apiGroups: [""] resources: [secrets] verbs: [create, get, list, patch, update, watch, delete] - apiGroups: [config.pinniped.dev, idp.pinniped.dev] resources: ["*"] verbs: [create, get, list, update, watch] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-aggregated-api-server-role-binding" namespace: #@ data.values.namespace subjects: - kind: ServiceAccount name: #@ data.values.app_name + "-service-account" namespace: #@ data.values.namespace roleRef: kind: Role name: #@ data.values.app_name + "-aggregated-api-server-role" apiGroup: rbac.authorization.k8s.io #! Give permission to list pods and pod exec in the kube-system namespace so we can find the API server's private key --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: #@ data.values.app_name + "-kube-system-pod-exec-role" namespace: kube-system rules: - apiGroups: [""] resources: [pods] verbs: [get, list] - apiGroups: [""] resources: [pods/exec] verbs: [create] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-kube-system-pod-exec-role-binding" namespace: kube-system subjects: - kind: ServiceAccount name: #@ data.values.app_name + "-service-account" namespace: #@ data.values.namespace roleRef: kind: Role name: #@ data.values.app_name + "-kube-system-pod-exec-role" apiGroup: rbac.authorization.k8s.io #! Allow both authenticated and unauthenticated CredentialRequests (i.e. allow all requests) --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: #@ data.values.app_name + "-credentialrequests-cluster-role" rules: - apiGroups: [pinniped.dev] resources: [credentialrequests] verbs: [create] - apiGroups: [login.pinniped.dev] resources: [tokencredentialrequests] verbs: [create] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-credentialrequests-cluster-role-binding" subjects: - kind: Group name: system:authenticated apiGroup: rbac.authorization.k8s.io - kind: Group name: system:unauthenticated apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: #@ data.values.app_name + "-credentialrequests-cluster-role" apiGroup: rbac.authorization.k8s.io #! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-service-account-cluster-role-binding" namespace: #@ data.values.namespace subjects: - kind: ServiceAccount name: #@ data.values.app_name + "-service-account" namespace: #@ data.values.namespace roleRef: kind: ClusterRole name: system:auth-delegator apiGroup: rbac.authorization.k8s.io #! Give permissions for a special configmap of CA bundles that is needed by aggregated api servers --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-extension-apiserver-authentication-reader-role-binding" namespace: kube-system subjects: - kind: ServiceAccount name: #@ data.values.app_name + "-service-account" namespace: #@ data.values.namespace roleRef: kind: Role name: extension-apiserver-authentication-reader apiGroup: rbac.authorization.k8s.io #! Give permission to list and watch ConfigMaps in kube-public --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-cluster-info-lister-watcher-role" namespace: kube-public rules: - apiGroups: [""] resources: [configmaps] verbs: [list, watch] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: #@ data.values.app_name + "-cluster-info-lister-watcher-role-binding" namespace: kube-public subjects: - kind: ServiceAccount name: #@ data.values.app_name + "-service-account" namespace: #@ data.values.namespace roleRef: kind: Role name: #@ data.values.app_name + "-cluster-info-lister-watcher-role" apiGroup: rbac.authorization.k8s.io