889348e999
Signed-off-by: Margo Crawford <margaretc@vmware.com>
172 lines
5.2 KiB
YAML
172 lines
5.2 KiB
YAML
#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
|
#! SPDX-License-Identifier: Apache-2.0
|
|
|
|
#@ load("@ytt:data", "data")
|
|
#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "pinnipedDevAPIGroupWithPrefix")
|
|
|
|
#! Give permission to various objects within the app's own namespace
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
labels: #@ labels()
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: [secrets]
|
|
verbs: [create, get, list, patch, update, watch, delete]
|
|
- apiGroups:
|
|
- #@ pinnipedDevAPIGroupWithPrefix("config.supervisor")
|
|
resources: [federationdomains]
|
|
verbs: [get, list, watch]
|
|
- apiGroups:
|
|
- #@ pinnipedDevAPIGroupWithPrefix("config.supervisor")
|
|
resources: [federationdomains/status]
|
|
verbs: [get, patch, update]
|
|
- apiGroups:
|
|
- #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
|
|
resources: [oidcidentityproviders]
|
|
verbs: [get, list, watch]
|
|
- apiGroups:
|
|
- #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
|
|
resources: [oidcidentityproviders/status]
|
|
verbs: [get, patch, update]
|
|
- apiGroups:
|
|
- #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
|
|
resources: [ldapidentityproviders]
|
|
verbs: [get, list, watch]
|
|
- apiGroups:
|
|
- #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
|
|
resources: [ldapidentityproviders/status]
|
|
verbs: [get, patch, update]
|
|
- apiGroups:
|
|
- #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
|
|
resources: [activedirectoryidentityproviders]
|
|
verbs: [get, list, watch]
|
|
- apiGroups:
|
|
- #@ pinnipedDevAPIGroupWithPrefix("idp.supervisor")
|
|
resources: [activedirectoryidentityproviders/status]
|
|
verbs: [get, patch, update]
|
|
#! We want to be able to read pods/replicasets/deployment so we can learn who our deployment is to set
|
|
#! as an owner reference.
|
|
- apiGroups: [""]
|
|
resources: [pods]
|
|
verbs: [get]
|
|
- apiGroups: [apps]
|
|
resources: [replicasets,deployments]
|
|
verbs: [get]
|
|
- apiGroups: [ coordination.k8s.io ]
|
|
resources: [ leases ]
|
|
verbs: [ create, get, update ]
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
labels: #@ labels()
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
roleRef:
|
|
kind: Role
|
|
name: #@ defaultResourceName()
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permissions for a special configmap of CA bundles that is needed by aggregated api servers
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("extension-apiserver-authentication-reader")
|
|
namespace: kube-system
|
|
labels: #@ labels()
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
roleRef:
|
|
kind: Role
|
|
name: extension-apiserver-authentication-reader
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permission to list and watch ConfigMaps in kube-public
|
|
---
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
|
|
namespace: kube-public
|
|
labels: #@ labels()
|
|
rules:
|
|
- apiGroups: [ "" ]
|
|
resources: [ configmaps ]
|
|
verbs: [ list, watch ]
|
|
#! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceName()
|
|
labels: #@ labels()
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: system:auth-delegator
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
|
|
namespace: kube-public
|
|
labels: #@ labels()
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
roleRef:
|
|
kind: Role
|
|
name: #@ defaultResourceNameWithSuffix("cluster-info-lister-watcher")
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permission to various cluster-scoped objects
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
|
|
labels: #@ labels()
|
|
rules:
|
|
- apiGroups: [ "" ]
|
|
resources: [ namespaces ]
|
|
verbs: [ get, list, watch ]
|
|
- apiGroups: [ apiregistration.k8s.io ]
|
|
resources: [ apiservices ]
|
|
verbs: [ get, list, patch, update, watch ]
|
|
- apiGroups: [ admissionregistration.k8s.io ]
|
|
resources: [ validatingwebhookconfigurations, mutatingwebhookconfigurations ]
|
|
verbs: [ get, list, watch ]
|
|
- apiGroups: [ flowcontrol.apiserver.k8s.io ]
|
|
resources: [ flowschemas, prioritylevelconfigurations ]
|
|
verbs: [ get, list, watch ]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
|
|
labels: #@ labels()
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ defaultResourceName()
|
|
namespace: #@ namespace()
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: #@ defaultResourceNameWithSuffix("aggregated-api-server")
|
|
apiGroup: rbac.authorization.k8s.io
|