# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- # Source: cert-manager/templates/cainjector-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: my-cert-manager-cainjector labels: app: cainjector app.kubernetes.io/name: cainjector app.kubernetes.io/instance: my-cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: "cainjector" helm.sh/chart: cert-manager-v1.3.0 rules: - apiGroups: ["cert-manager.io"] resources: ["certificates"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["get", "create", "update", "patch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["apiregistration.k8s.io"] resources: ["apiservices"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["auditregistration.k8s.io"] resources: ["auditsinks"] verbs: ["get", "list", "watch", "update"] --- # Source: cert-manager/templates/cainjector-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: my-cert-manager-cainjector labels: app: cainjector app.kubernetes.io/name: cainjector app.kubernetes.io/instance: my-cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: "cainjector" helm.sh/chart: cert-manager-v1.3.0 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-cert-manager-cainjector subjects: - name: my-cert-manager-cainjector namespace: "cert-manager" kind: ServiceAccount --- # Source: cert-manager/templates/cainjector-rbac.yaml # leader election rules apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: my-cert-manager-cainjector:leaderelection namespace: kube-system labels: app: cainjector app.kubernetes.io/name: cainjector app.kubernetes.io/instance: my-cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: "cainjector" helm.sh/chart: cert-manager-v1.3.0 rules: # Used for leader election by the controller # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller # see cmd/cainjector/start.go#L113 # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller # see cmd/cainjector/start.go#L137 - apiGroups: [""] resources: ["configmaps"] resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] verbs: ["get", "update", "patch"] - apiGroups: [""] resources: ["configmaps"] verbs: ["create"] --- # Source: cert-manager/templates/cainjector-rbac.yaml # grant cert-manager permission to manage the leaderelection configmap in the # leader election namespace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: my-cert-manager-cainjector:leaderelection namespace: kube-system labels: app: cainjector app.kubernetes.io/name: cainjector app.kubernetes.io/instance: my-cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: "cainjector" helm.sh/chart: cert-manager-v1.3.0 roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: my-cert-manager-cainjector:leaderelection subjects: - kind: ServiceAccount name: my-cert-manager-cainjector namespace: cert-manager