This repository has been archived by the owner on Feb 22, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 16.8k
/
rbac.yaml
86 lines (86 loc) · 2.59 KB
/
rbac.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- if .Values.scope.singleNamespace }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "ambassador.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "ambassador.name" . }}
app.kubernetes.io/part-of: {{ .Release.Name }}
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{- toYaml .Values.extraLabels | nindent 4 }}
{{- end }}
rules:
- apiGroups: [""]
resources:
{{- if not .Values.scope.singleNamespace }}
- namespaces
{{- end }}
- services
- secrets
- endpoints
verbs: ["get", "list", "watch"]
- apiGroups: [ "getambassador.io" ]
resources: [ "*" ]
verbs: ["get", "list", "watch"]
- apiGroups: [ "apiextensions.k8s.io" ]
resources: [ "customresourcedefinitions" ]
verbs: ["get", "list", "watch"]
- apiGroups: [ "networking.internal.knative.dev"]
resources: [ "clusteringresses" ]
verbs: ["get", "list", "watch"]
- apiGroups: [ "extensions" ]
resources: [ "ingresses" ]
verbs: ["get", "list", "watch"]
- apiGroups: [ "extensions" ]
resources: [ "ingresses/status" ]
verbs: ["update"]
{{- if .Values.pro.enabled }}
- apiGroups: [""]
resources: [ "secrets" ]
verbs: ["get", "list", "watch", "create"]
{{- end }}
{{- if .Values.rbac.podSecurityPolicies }}
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
{{- toYaml .Values.rbac.podSecurityPolicies | nindent 6 }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- if .Values.scope.singleNamespace }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ include "ambassador.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "ambassador.name" . }}
app.kubernetes.io/part-of: {{ .Release.Name }}
helm.sh/chart: {{ include "ambassador.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{- toYaml .Values.extraLabels | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if .Values.scope.singleNamespace }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
name: {{ include "ambassador.fullname" . }}
subjects:
- name: {{ include "ambassador.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
kind: ServiceAccount
{{- end -}}