install-bundles/install-bundle-autopilot-gcp-identity/0-cnrm-system.yaml (2,808 lines of code) (raw):
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-controller-manager
namespace: cnrm-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-deletiondefender
namespace: cnrm-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-resource-stats-recorder
namespace: cnrm-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook-manager
namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-deletiondefender-cnrm-system-role
namespace: cnrm-system
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook-cnrm-system-role
namespace: cnrm-system
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
creationTimestamp: null
labels:
cnrm.cloud.google.com/system: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: cnrm-admin
rules:
- apiGroups:
- accesscontextmanager.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- alloydb.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apigateway.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apigee.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apikeys.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- appengine.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- artifactregistry.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- beyondcorp.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- bigquery.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- bigqueryanalyticshub.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- bigqueryconnection.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- bigquerydatapolicy.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- bigquerydatatransfer.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- bigqueryreservation.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- bigtable.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- billingbudgets.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- binaryauthorization.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- certificatemanager.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- cloudasset.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- cloudbuild.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- cloudfunctions.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- cloudfunctions2.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- cloudidentity.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- cloudids.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- cloudiot.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- cloudscheduler.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- cloudtasks.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- compute.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- configcontroller.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- container.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- containeranalysis.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- containerattached.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- datacatalog.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- dataflow.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- dataform.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- datafusion.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- dataproc.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- datastore.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- datastream.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- deploymentmanager.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- dialogflow.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- dialogflowcx.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- discoveryengine.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- dlp.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- dns.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- documentai.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- edgecontainer.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- edgenetwork.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- essentialcontacts.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- eventarc.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- filestore.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- firebase.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- firebasedatabase.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- firebasehosting.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- firebasestorage.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- firestore.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- gkebackup.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- gkehub.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- healthcare.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- iam.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- iap.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- identityplatform.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- kms.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- logging.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- memcache.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- mlengine.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- monitoring.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- networkconnectivity.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- networkmanagement.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- networksecurity.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- networkservices.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- notebooks.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- orgpolicy.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- osconfig.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- oslogin.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- privateca.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- privilegedaccessmanager.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- pubsub.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- pubsublite.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- recaptchaenterprise.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- redis.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- resourcemanager.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- run.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- secretmanager.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- securesourcemanager.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- securitycenter.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- servicedirectory.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- servicenetworking.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- serviceusage.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- sourcerepo.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- spanner.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- sql.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- storage.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- storagetransfer.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- tags.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- tpu.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- vertexai.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- vpcaccess.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- workflows.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- workstations.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-deletiondefender-role
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-manager-cluster-role
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- core.cnrm.cloud.google.com
resources:
- servicemappings
verbs:
- get
- list
- watch
- apiGroups:
- core.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-manager-ns-role
rules:
- apiGroups:
- ""
resources:
- events
- configmaps
- secrets
- services
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-recorder-role
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
creationTimestamp: null
labels:
cnrm.cloud.google.com/system: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: cnrm-viewer
rules:
- apiGroups:
- accesscontextmanager.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- alloydb.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- apigateway.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- apigee.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- apikeys.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- appengine.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- artifactregistry.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- beyondcorp.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- bigquery.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- bigqueryanalyticshub.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- bigqueryconnection.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- bigquerydatapolicy.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- bigquerydatatransfer.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- bigqueryreservation.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- bigtable.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- billingbudgets.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- binaryauthorization.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- certificatemanager.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- cloudasset.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- cloudbuild.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- cloudfunctions.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- cloudfunctions2.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- cloudidentity.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- cloudids.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- cloudiot.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- cloudscheduler.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- cloudtasks.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- compute.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- configcontroller.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- container.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- containeranalysis.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- containerattached.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- datacatalog.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- dataflow.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- dataform.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- datafusion.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- dataproc.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- datastore.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- datastream.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- deploymentmanager.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- dialogflow.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- dialogflowcx.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- discoveryengine.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- dlp.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- dns.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- documentai.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- edgecontainer.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- edgenetwork.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- essentialcontacts.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- eventarc.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- filestore.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- firebase.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- firebasedatabase.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- firebasehosting.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- firebasestorage.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- firestore.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- gkebackup.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- gkehub.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- healthcare.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- iam.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- iap.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- identityplatform.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- kms.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- logging.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- memcache.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- mlengine.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- monitoring.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- networkconnectivity.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- networkmanagement.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- networksecurity.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- networkservices.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- notebooks.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- orgpolicy.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- osconfig.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- oslogin.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- privateca.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- privilegedaccessmanager.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- pubsub.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- pubsublite.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- recaptchaenterprise.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- redis.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- resourcemanager.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- run.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- secretmanager.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- securesourcemanager.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- securitycenter.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- servicedirectory.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- servicenetworking.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- serviceusage.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- sourcerepo.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- spanner.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- sql.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- storage.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- storagetransfer.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- tags.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- tpu.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- vertexai.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- vpcaccess.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- workflows.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- workstations.cnrm.cloud.google.com
resources:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook-role
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- core.cnrm.cloud.google.com
resources:
- servicemappings
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-deletiondefender-role-binding
namespace: cnrm-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cnrm-deletiondefender-cnrm-system-role
subjects:
- kind: ServiceAccount
name: cnrm-deletiondefender
namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook-role-binding
namespace: cnrm-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cnrm-webhook-cnrm-system-role
subjects:
- kind: ServiceAccount
name: cnrm-webhook-manager
namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-admin-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cnrm-admin
subjects:
- kind: ServiceAccount
name: cnrm-controller-manager
namespace: cnrm-system
- kind: ServiceAccount
name: cnrm-resource-stats-recorder
namespace: cnrm-system
- kind: ServiceAccount
name: cnrm-deletiondefender
namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-deletiondefender-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cnrm-deletiondefender-role
subjects:
- kind: ServiceAccount
name: cnrm-deletiondefender
namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-manager-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cnrm-manager-cluster-role
subjects:
- kind: ServiceAccount
name: cnrm-controller-manager
namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-manager-watcher-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cnrm-manager-ns-role
subjects:
- kind: ServiceAccount
name: cnrm-controller-manager
namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-recorder-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cnrm-recorder-role
subjects:
- kind: ServiceAccount
name: cnrm-resource-stats-recorder
namespace: cnrm-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cnrm-webhook-role
subjects:
- kind: ServiceAccount
name: cnrm-webhook-manager
namespace: cnrm-system
---
apiVersion: v1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-deletiondefender
namespace: cnrm-system
spec:
ports:
- name: deletiondefender
port: 443
selector:
cnrm.cloud.google.com/component: cnrm-deletiondefender
cnrm.cloud.google.com/system: "true"
---
apiVersion: v1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
prometheus.io/port: "8888"
prometheus.io/scrape: "true"
labels:
cnrm.cloud.google.com/monitored: "true"
cnrm.cloud.google.com/system: "true"
name: cnrm-manager
namespace: cnrm-system
spec:
ports:
- name: controller-manager
port: 443
- name: metrics
port: 8888
selector:
cnrm.cloud.google.com/component: cnrm-controller-manager
cnrm.cloud.google.com/system: "true"
---
apiVersion: v1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
prometheus.io/port: "48797"
prometheus.io/scrape: "true"
labels:
cnrm.cloud.google.com/monitored: "true"
cnrm.cloud.google.com/system: "true"
name: cnrm-resource-stats-recorder-service
namespace: cnrm-system
spec:
ports:
- name: metrics
port: 8888
targetPort: 48797
selector:
cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
cnrm.cloud.google.com/system: "true"
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
cnrm.cloud.google.com/system: "true"
name: cnrm-resource-stats-recorder
namespace: cnrm-system
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
cnrm.cloud.google.com/system: "true"
strategy:
type: Recreate
template:
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
cnrm.cloud.google.com/system: "true"
spec:
containers:
- args:
- --prometheus-scrape-endpoint=:48797
- --metric-interval=60
command:
- /configconnector/recorder
env:
- name: CONFIG_CONNECTOR_VERSION
value: 1.125.0
image: gcr.io/cnrm-eap/cnrm/recorder:2fa0f72
imagePullPolicy: Always
name: recorder
ports:
- containerPort: 48797
hostPort: 48797
protocol: TCP
- containerPort: 23232
readinessProbe:
httpGet:
path: /ready
port: 23232
initialDelaySeconds: 7
periodSeconds: 3
resources:
limits:
memory: 64Mi
requests:
cpu: 20m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
runAsUser: 1000
enableServiceLinks: false
hostNetwork: false
serviceAccountName: cnrm-resource-stats-recorder
terminationGracePeriodSeconds: 10
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/component: cnrm-webhook-manager
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook-manager
namespace: cnrm-system
spec:
revisionHistoryLimit: 1
selector:
matchLabels:
cnrm.cloud.google.com/component: cnrm-webhook-manager
cnrm.cloud.google.com/system: "true"
template:
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/component: cnrm-webhook-manager
cnrm.cloud.google.com/system: "true"
spec:
containers:
- command:
- /configconnector/webhook
env:
- name: GOMEMLIMIT
value: 110MiB
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: gcr.io/cnrm-eap/cnrm/webhook:2fa0f72
imagePullPolicy: Always
name: webhook
ports:
- containerPort: 23232
readinessProbe:
httpGet:
path: /ready
port: 23232
initialDelaySeconds: 7
periodSeconds: 3
resources:
limits:
memory: 128Mi
requests:
cpu: 250m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
runAsUser: 1000
enableServiceLinks: false
serviceAccountName: cnrm-webhook-manager
terminationGracePeriodSeconds: 10
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/component: cnrm-controller-manager
cnrm.cloud.google.com/system: "true"
name: cnrm-controller-manager
namespace: cnrm-system
spec:
selector:
matchLabels:
cnrm.cloud.google.com/component: cnrm-controller-manager
cnrm.cloud.google.com/system: "true"
serviceName: cnrm-manager
template:
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/component: cnrm-controller-manager
cnrm.cloud.google.com/system: "true"
spec:
containers:
- args:
- --prometheus-scrape-endpoint=:8888
command:
- /configconnector/manager
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: gcr.io/cnrm-eap/cnrm/controller:2fa0f72
imagePullPolicy: Always
name: manager
ports:
- containerPort: 23232
readinessProbe:
httpGet:
path: /ready
port: 23232
initialDelaySeconds: 7
periodSeconds: 3
resources:
limits:
memory: 512Mi
requests:
cpu: 100m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/secrets/google
name: gcp-service-account
enableServiceLinks: false
serviceAccountName: cnrm-controller-manager
terminationGracePeriodSeconds: 10
volumes:
- name: gcp-service-account
secret:
secretName: gcp-key
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/component: cnrm-deletiondefender
cnrm.cloud.google.com/system: "true"
name: cnrm-deletiondefender
namespace: cnrm-system
spec:
selector:
matchLabels:
cnrm.cloud.google.com/component: cnrm-deletiondefender
cnrm.cloud.google.com/system: "true"
serviceName: cnrm-deletiondefender
template:
metadata:
annotations:
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/component: cnrm-deletiondefender
cnrm.cloud.google.com/system: "true"
spec:
containers:
- command:
- /configconnector/deletiondefender
image: gcr.io/cnrm-eap/cnrm/deletiondefender:2fa0f72
imagePullPolicy: Always
name: deletiondefender
ports:
- containerPort: 23232
readinessProbe:
httpGet:
path: /ready
port: 23232
initialDelaySeconds: 7
periodSeconds: 3
resources:
limits:
memory: 1Gi
requests:
cpu: 250m
memory: 1Gi
securityContext:
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
runAsUser: 1000
enableServiceLinks: false
serviceAccountName: cnrm-deletiondefender
terminationGracePeriodSeconds: 10
---
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
annotations:
autoscaling.alpha.kubernetes.io/metrics: '[{"type":"Resource","resource":{"name":"memory","targetAverageUtilization":70}}]'
cnrm.cloud.google.com/version: 1.125.0
labels:
cnrm.cloud.google.com/system: "true"
name: cnrm-webhook
namespace: cnrm-system
spec:
maxReplicas: 20
minReplicas: 2
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: cnrm-webhook-manager
targetCPUUtilizationPercentage: 70