# Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: dubbo-ca namespace: dubbo-system labels: app: dubbo-ca rules: # For storing CA secret - apiGroups: [""] resources: ["secrets"] verbs: ["create", "get", "watch", "list", "update", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: dubbo-ca labels: app: dubbo-ca rules: - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["pods"] verbs: ["update"] - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "get", "list", "watch", "update"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] verbs: ["create", "get", "list", "watch", "update"] - apiGroups: ["dubbo.apache.org"] resources: ["authenticationpolicies", "authorizationpolicies"] verbs: ["create", "get", "list", "watch", "update"] --- apiVersion: v1 kind: ServiceAccount metadata: name: dubbo-ca namespace: dubbo-system labels: app: dubbo-ca --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: dubbo-ca roleRef: kind: ClusterRole name: dubbo-ca apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: dubbo-ca namespace: dubbo-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: dubbo-ca namespace: dubbo-system roleRef: kind: Role name: dubbo-ca apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: dubbo-ca namespace: dubbo-system