ContainerImage.Pinniped/deploy/supervisor/rbac.yaml

#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0

#@ load("@ytt:data", "data")
#@ load("helpers.lib.yaml", "labels", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix")

#! Give permission to various objects within the app's own namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: #@ defaultResourceName()
  namespace: #@ namespace()
  labels: #@ labels()
rules:
  - apiGroups: [""]
    resources: [secrets]
    verbs: [create, get, list, patch, update, watch, delete]
  - apiGroups: [config.supervisor.pinniped.dev]
    resources: [oidcproviders]
    verbs: [update, get, list, watch]
  - apiGroups: [idp.supervisor.pinniped.dev]
    resources: [upstreamoidcproviders]
    verbs: [get, list, watch]
  - apiGroups: [idp.supervisor.pinniped.dev]
    resources: [upstreamoidcproviders/status]
    verbs: [get, patch, update]
    #! We want to be able to read pods/replicasets/deployment so we can learn who our deployment is to set
    #! as an owner reference.
  - apiGroups: [""]
    resources: [pods]
    verbs: [get]
  - apiGroups: [apps]
    resources: [replicasets,deployments]
    verbs: [get]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: #@ defaultResourceName()
  namespace: #@ namespace()
  labels: #@ labels()
subjects:
  - kind: ServiceAccount
    name: #@ defaultResourceName()
    namespace: #@ namespace()
roleRef:
  kind: Role
  name: #@ defaultResourceName()
  apiGroup: rbac.authorization.k8s.io