in pkg/manifests/nginx.go [185:256]
func newNginxIngressControllerRole(conf *config.Config, ingressConfig *NginxIngressConfig) *rbacv1.Role {
return &rbacv1.Role{
TypeMeta: metav1.TypeMeta{
Kind: "Role",
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: ingressConfig.ResourceName,
Labels: AddComponentLabel(GetTopLevelLabels(), "ingress-controller"),
Namespace: conf.NS,
},
Rules: []rbacv1.PolicyRule{
{
APIGroups: []string{""},
Resources: []string{"namespaces"},
Verbs: []string{"get"},
},
// temporary permission used for update from 1.3.0->1.8.1
{
APIGroups: []string{""},
Resources: []string{"configmaps"},
Verbs: []string{"update"},
},
{
APIGroups: []string{""},
Resources: []string{"configmaps", "pods", "secrets", "endpoints"},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{""},
Resources: []string{"services"},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"networking.k8s.io"},
Resources: []string{"ingresses"},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"networking.k8s.io"},
Resources: []string{"ingresses/status"},
Verbs: []string{"update"},
},
{
APIGroups: []string{"networking.k8s.io"},
Resources: []string{"ingressclasses"},
Verbs: []string{"get", "list", "watch"},
},
{
APIGroups: []string{"coordination.k8s.io"},
Resources: []string{"leases"},
ResourceNames: []string{ingressConfig.ResourceName},
Verbs: []string{"get", "update"},
},
{
APIGroups: []string{"coordination.k8s.io"},
Resources: []string{"leases"},
Verbs: []string{"create"},
},
{
APIGroups: []string{""},
Resources: []string{"events"},
Verbs: []string{"create", "patch"},
},
{
APIGroups: []string{"discovery.k8s.io"},
Resources: []string{"endpointslices"},
Verbs: []string{"list", "watch", "get"},
},
},
}
}