chart/operator/templates/rbac.yaml (451 lines of code) (raw):
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "operator.fullname" . | trunc (int (sub 63 (len "-controller-manager"))) | printf "%s-controller-manager" }}
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "operator.fullname" . | trunc (int (sub 63 (len "-leader-election-role"))) | printf "%s-leader-election-role" }}
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: {{ include "operator.fullname" . | trunc (int (sub 63 (len "-manager-role"))) | printf "%s-manager-role" }}
rules:
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/*
resources:
- signers
verbs:
- approve
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- secrets
- serviceaccounts
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/approval
verbs:
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.skywalking.apache.org
resources:
- fetchers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.skywalking.apache.org
resources:
- fetchers/status
verbs:
- get
- patch
- update
- apiGroups:
- operator.skywalking.apache.org
resources:
- javaagents
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.skywalking.apache.org
resources:
- javaagents/status
verbs:
- delete
- get
- patch
- update
- apiGroups:
- operator.skywalking.apache.org
resources:
- oapserverconfigs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.skywalking.apache.org
resources:
- oapserverconfigs/status
verbs:
- get
- patch
- update
- apiGroups:
- operator.skywalking.apache.org
resources:
- oapserverdynamicconfigs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.skywalking.apache.org
resources:
- oapserverdynamicconfigs/status
verbs:
- get
- patch
- update
- apiGroups:
- operator.skywalking.apache.org
resources:
- oapservers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.skywalking.apache.org
resources:
- oapservers/status
verbs:
- get
- patch
- update
- apiGroups:
- operator.skywalking.apache.org
resources:
- satellites
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.skywalking.apache.org
resources:
- satellites/finalizers
verbs:
- update
- apiGroups:
- operator.skywalking.apache.org
resources:
- satellites/status
verbs:
- get
- patch
- update
- apiGroups:
- operator.skywalking.apache.org
resources:
- storages
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.skywalking.apache.org
resources:
- storages/status
verbs:
- get
- patch
- update
- apiGroups:
- operator.skywalking.apache.org
resources:
- swagents
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.skywalking.apache.org
resources:
- swagents/finalizers
verbs:
- update
- apiGroups:
- operator.skywalking.apache.org
resources:
- swagents/status
verbs:
- get
- patch
- update
- apiGroups:
- operator.skywalking.apache.org
resources:
- uis
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- operator.skywalking.apache.org
resources:
- uis/status
verbs:
- get
- patch
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "operator.fullname" . | trunc (int (sub 63 (len "-metrics-reader"))) | printf "%s-metrics-reader" }}
rules:
- nonResourceURLs:
- /metrics
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "operator.fullname" . | trunc (int (sub 63 (len "-proxy-role"))) | printf "%s-proxy-role" }}
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "operator.fullname" . | trunc (int (sub 63 (len "-leader-election-role"))) | printf "%s-leader-election-role" }} binding
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "operator.fullname" . | trunc (int (sub 63 (len "-leader-election-role"))) | printf "%s-leader-election-role" }}
subjects:
- kind: ServiceAccount
name: {{ include "operator.fullname" . | trunc (int (sub 63 (len "-controller-manager"))) | printf "%s-controller-manager" }}
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "operator.fullname" . | trunc (int (sub 63 (len "-manager-role"))) | printf "%s-manager-role" }} binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "operator.fullname" . | trunc (int (sub 63 (len "-manager-role"))) | printf "%s-manager-role" }}
subjects:
- kind: ServiceAccount
name: {{ include "operator.fullname" . | trunc (int (sub 63 (len "-controller-manager"))) | printf "%s-controller-manager" }}
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "operator.fullname" . | trunc (int (sub 63 (len "-proxy-rolebinding"))) | printf "%s-proxy-rolebinding" }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "operator.fullname" . | trunc (int (sub 63 (len "-proxy-role"))) | printf "%s-proxy-role" }}
subjects:
- kind: ServiceAccount
name: {{ include "operator.fullname" . | trunc (int (sub 63 (len "-controller-manager"))) | printf "%s-controller-manager" }}
namespace: {{ .Release.Namespace }}