ace01c86de
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
178 lines
5.3 KiB
YAML
178 lines
5.3 KiB
YAML
#@ load("@ytt:data", "data")
|
|
|
|
#! Give permission to various cluster-scoped objects
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: #@ data.values.app_name + "-aggregated-api-server-cluster-role"
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: [namespaces]
|
|
verbs: [get, list, watch]
|
|
- apiGroups: [apiregistration.k8s.io]
|
|
resources: [apiservices]
|
|
verbs: [create, get, list, patch, update, watch]
|
|
- apiGroups: [admissionregistration.k8s.io]
|
|
resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations]
|
|
verbs: [get, list, watch]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-aggregated-api-server-cluster-role-binding"
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ data.values.app_name + "-service-account"
|
|
namespace: #@ data.values.namespace
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: #@ data.values.app_name + "-aggregated-api-server-cluster-role"
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permission to various objects within the app's own namespace
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: #@ data.values.app_name + "-aggregated-api-server-role"
|
|
namespace: #@ data.values.namespace
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: [services]
|
|
verbs: [create, get, list, patch, update, watch]
|
|
- apiGroups: [""]
|
|
resources: [secrets]
|
|
verbs: [create, get, list, patch, update, watch, delete]
|
|
- apiGroups: [crd.pinniped.dev]
|
|
resources: [credentialissuerconfigs]
|
|
verbs: [create, get, list, update, watch]
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-aggregated-api-server-role-binding"
|
|
namespace: #@ data.values.namespace
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ data.values.app_name + "-service-account"
|
|
namespace: #@ data.values.namespace
|
|
roleRef:
|
|
kind: Role
|
|
name: #@ data.values.app_name + "-aggregated-api-server-role"
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permission to list pods and pod exec in the kube-system namespace so we can find the API server's private key
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: #@ data.values.app_name + "-kube-system-pod-exec-role"
|
|
namespace: kube-system
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: [pods]
|
|
verbs: [get, list]
|
|
- apiGroups: [""]
|
|
resources: [pods/exec]
|
|
verbs: [create]
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-kube-system-pod-exec-role-binding"
|
|
namespace: kube-system
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ data.values.app_name + "-service-account"
|
|
namespace: #@ data.values.namespace
|
|
roleRef:
|
|
kind: Role
|
|
name: #@ data.values.app_name + "-kube-system-pod-exec-role"
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Allow both authenticated and unauthenticated CredentialRequests (i.e. allow all requests)
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: #@ data.values.app_name + "-credentialrequests-cluster-role"
|
|
rules:
|
|
- apiGroups: [pinniped.dev]
|
|
resources: [credentialrequests]
|
|
verbs: [create]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-credentialrequests-cluster-role-binding"
|
|
subjects:
|
|
- kind: Group
|
|
name: system:authenticated
|
|
apiGroup: rbac.authorization.k8s.io
|
|
- kind: Group
|
|
name: system:unauthenticated
|
|
apiGroup: rbac.authorization.k8s.io
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: #@ data.values.app_name + "-credentialrequests-cluster-role"
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-service-account-cluster-role-binding"
|
|
namespace: #@ data.values.namespace
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ data.values.app_name + "-service-account"
|
|
namespace: #@ data.values.namespace
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: system:auth-delegator
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permissions for a special configmap of CA bundles that is needed by aggregated api servers
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-extension-apiserver-authentication-reader-role-binding"
|
|
namespace: kube-system
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ data.values.app_name + "-service-account"
|
|
namespace: #@ data.values.namespace
|
|
roleRef:
|
|
kind: Role
|
|
name: extension-apiserver-authentication-reader
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permission to list and watch ConfigMaps in kube-public
|
|
---
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-cluster-info-lister-watcher-role"
|
|
namespace: kube-public
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: [configmaps]
|
|
verbs: [list, watch]
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-cluster-info-lister-watcher-role-binding"
|
|
namespace: kube-public
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ data.values.app_name + "-service-account"
|
|
namespace: #@ data.values.namespace
|
|
roleRef:
|
|
kind: Role
|
|
name: #@ data.values.app_name + "-cluster-info-lister-watcher-role"
|
|
apiGroup: rbac.authorization.k8s.io
|