djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b74486f305
ContainerImage.Pinniped/deploy/rbac.yaml
Andrew Keesler 0f8437bc3a
Integration tests are passing ayooooooooooooooo
2020-09-23 12:47:04 -04:00

186 lines
5.5 KiB
YAML
Raw Blame History

#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data")
#! Give permission to various cluster-scoped objects
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: #@ data.values.app_name + "-aggregated-api-server"
rules:
- apiGroups: [""]
resources: [namespaces]
verbs: [get, list, watch]
- apiGroups: [apiregistration.k8s.io]
resources: [apiservices]
verbs: [create, get, list, patch, update, watch]
- apiGroups: [admissionregistration.k8s.io]
resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations]
verbs: [get, list, watch]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: #@ data.values.app_name + "-aggregated-api-server"
subjects:
- kind: ServiceAccount
name: #@ data.values.app_name
namespace: #@ data.values.namespace
roleRef:
kind: ClusterRole
name: #@ data.values.app_name + "-aggregated-api-server"
apiGroup: rbac.authorization.k8s.io
#! Give permission to various objects within the app's own namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: #@ data.values.app_name + "-aggregated-api-server"
namespace: #@ data.values.namespace
rules:
- apiGroups: [""]
resources: [services]
verbs: [create, get, list, patch, update, watch]
- apiGroups: [""]
resources: [secrets]
verbs: [create, get, list, patch, update, watch, delete]
#! We need to be able to CRUD pods in our namespace so we can reconcile the kube-cert-agent pods.
- apiGroups: [""]
resources: [pods]
verbs: [create, get, list, patch, update, watch, delete]
#! We need to be able to exec into pods in our namespace so we can grab the API server's private key
- apiGroups: [""]
resources: [pods/exec]
verbs: [create]
- apiGroups: [config.pinniped.dev, idp.pinniped.dev]
resources: ["*"]
verbs: [create, get, list, update, watch]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: #@ data.values.app_name + "-aggregated-api-server"
namespace: #@ data.values.namespace
subjects:
- kind: ServiceAccount
name: #@ data.values.app_name
namespace: #@ data.values.namespace
roleRef:
kind: Role
name: #@ data.values.app_name + "-aggregated-api-server"
apiGroup: rbac.authorization.k8s.io
#! Give permission to read pods in the kube-system namespace so we can find the API server's private key
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: #@ data.values.app_name + "-kube-system-pod-read"
namespace: kube-system
rules:
- apiGroups: [""]
resources: [pods]
verbs: [get, list, watch]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: #@ data.values.app_name + "-kube-system-pod-read"
namespace: kube-system
subjects:
- kind: ServiceAccount
name: #@ data.values.app_name
namespace: #@ data.values.namespace
roleRef:
kind: Role
name: #@ data.values.app_name + "-kube-system-pod-read"
apiGroup: rbac.authorization.k8s.io
#! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: #@ data.values.app_name + "-create-token-credential-requests"
rules:
- apiGroups: [login.pinniped.dev]
resources: [tokencredentialrequests]
verbs: [create]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: #@ data.values.app_name + "-create-token-credential-requests"
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:unauthenticated
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: #@ data.values.app_name + "-create-token-credential-requests"
apiGroup: rbac.authorization.k8s.io
#! Give permissions for subjectaccessreviews, tokenreview that is needed by aggregated api servers
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: #@ data.values.app_name
namespace: #@ data.values.namespace
subjects:
- kind: ServiceAccount
name: #@ data.values.app_name
namespace: #@ data.values.namespace
roleRef:
kind: ClusterRole
name: system:auth-delegator
apiGroup: rbac.authorization.k8s.io
#! Give permissions for a special configmap of CA bundles that is needed by aggregated api servers
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: #@ data.values.app_name + "-extension-apiserver-authentication-reader"
namespace: kube-system
subjects:
- kind: ServiceAccount
name: #@ data.values.app_name
namespace: #@ data.values.namespace
roleRef:
kind: Role
name: extension-apiserver-authentication-reader
apiGroup: rbac.authorization.k8s.io
#! Give permission to list and watch ConfigMaps in kube-public
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: #@ data.values.app_name + "-cluster-info-lister-watcher"
namespace: kube-public
rules:
- apiGroups: [""]
resources: [configmaps]
verbs: [list, watch]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: #@ data.values.app_name + "-cluster-info-lister-watcher"
namespace: kube-public
subjects:
- kind: ServiceAccount
name: #@ data.values.app_name
namespace: #@ data.values.namespace
roleRef:
kind: Role
name: #@ data.values.app_name + "-cluster-info-lister-watcher"
apiGroup: rbac.authorization.k8s.io
Reference in New Issue View Git Blame Copy Permalink