6b90dc8bb7
The rotation is forced by a new controller that deletes the serving cert secret, as other controllers will see this deletion and ensure that a new serving cert is created. Note that the integration tests now have an addition worst case runtime of 60 seconds. This is because of the way that the aggregated API server code reloads certificates. We will fix this in a future story. Then, the integration tests should hopefully get much faster. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
178 lines
5.4 KiB
YAML
178 lines
5.4 KiB
YAML
#@ load("@ytt:data", "data")
|
|
|
|
#! Give permission to various cluster-scoped objects
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: #@ data.values.app_name + "-aggregated-api-server-cluster-role"
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: [namespaces]
|
|
verbs: [get, list, watch]
|
|
- apiGroups: [apiregistration.k8s.io]
|
|
resources: [apiservices]
|
|
verbs: [create, get, list, patch, update, watch]
|
|
- apiGroups: [admissionregistration.k8s.io]
|
|
resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations]
|
|
verbs: [get, list, watch]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-aggregated-api-server-cluster-role-binding"
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ data.values.app_name + "-service-account"
|
|
namespace: #@ data.values.namespace
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: #@ data.values.app_name + "-aggregated-api-server-cluster-role"
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permission to various objects within the app's own namespace
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: #@ data.values.app_name + "-aggregated-api-server-role"
|
|
namespace: #@ data.values.namespace
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: [services]
|
|
verbs: [create, get, list, patch, update, watch]
|
|
- apiGroups: [""]
|
|
resources: [secrets]
|
|
verbs: [create, get, list, patch, update, watch, delete]
|
|
- apiGroups: [crds.placeholder.suzerain-io.github.io]
|
|
resources: [logindiscoveryconfigs]
|
|
verbs: [create, get, list, update, watch]
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-aggregated-api-server-role-binding"
|
|
namespace: #@ data.values.namespace
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ data.values.app_name + "-service-account"
|
|
namespace: #@ data.values.namespace
|
|
roleRef:
|
|
kind: Role
|
|
name: #@ data.values.app_name + "-aggregated-api-server-role"
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permission to list pods and pod exec in the kube-system namespace so we can find the API server's private key
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: #@ data.values.app_name + "-kube-system-pod-exec-role"
|
|
namespace: kube-system
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: [pods]
|
|
verbs: [get, list]
|
|
- apiGroups: [""]
|
|
resources: [pods/exec]
|
|
verbs: [create]
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-kube-system-pod-exec-role-binding"
|
|
namespace: kube-system
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ data.values.app_name + "-service-account"
|
|
namespace: #@ data.values.namespace
|
|
roleRef:
|
|
kind: Role
|
|
name: #@ data.values.app_name + "-kube-system-pod-exec-role"
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Allow both authenticated and unauthenticated CredentialRequests (i.e. allow all requests)
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: #@ data.values.app_name + "-credentialrequests-cluster-role"
|
|
rules:
|
|
- apiGroups: [placeholder.suzerain-io.github.io]
|
|
resources: [credentialrequests]
|
|
verbs: [create]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-credentialrequests-cluster-role-binding"
|
|
subjects:
|
|
- kind: Group
|
|
name: system:authenticated
|
|
apiGroup: rbac.authorization.k8s.io
|
|
- kind: Group
|
|
name: system:unauthenticated
|
|
apiGroup: rbac.authorization.k8s.io
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: #@ data.values.app_name + "-credentialrequests-cluster-role"
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-service-account-cluster-role-binding"
|
|
namespace: #@ data.values.namespace
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ data.values.app_name + "-service-account"
|
|
namespace: #@ data.values.namespace
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: system:auth-delegator
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permissions for a special configmap of CA bundles that is needed by aggregated api servers
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-extension-apiserver-authentication-reader-role-binding"
|
|
namespace: kube-system
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ data.values.app_name + "-service-account"
|
|
namespace: #@ data.values.namespace
|
|
roleRef:
|
|
kind: Role
|
|
name: extension-apiserver-authentication-reader
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
#! Give permission to list and watch ConfigMaps in kube-public
|
|
---
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-cluster-info-lister-watcher-role"
|
|
namespace: kube-public
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: [configmaps]
|
|
verbs: [list, watch]
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: #@ data.values.app_name + "-cluster-info-lister-watcher-role-binding"
|
|
namespace: kube-public
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: #@ data.values.app_name + "-service-account"
|
|
namespace: #@ data.values.namespace
|
|
roleRef:
|
|
kind: Role
|
|
name: #@ data.values.app_name + "-cluster-info-lister-watcher-role"
|
|
apiGroup: rbac.authorization.k8s.io
|