# Webhook Server # ClusterRoleBinding to give the WebhookServer # cluster-scoped access to ValidatingWebhookConfigurations kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{.Release.Namespace}}-{{.Release.Name}}-webhook-crb namespace: {{.Release.Namespace}} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{.Release.Namespace}}-{{.Release.Name}}-webhook-cr subjects: - kind: ServiceAccount name: {{.Release.Name}}-webhook-sa namespace: {{.Release.Namespace}} --- # Other RBAC bindings are based on the scope of the Operator. # Use ClusterRoleBinding if the operator is cluster-scoped # and RoleBinding if the operator is namespace-scoped. {{ $bindingKind := ternary "ClusterRoleBinding" "RoleBinding" .Values.clusterScoped -}} {{ $userRoleKind := ternary "ClusterRole" "Role" .Values.clusterScoped -}} --- # Other RBACs for the WebHook Server kind: {{$bindingKind}} apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{.Release.Name}}-webhook-crb namespace: {{.Release.Namespace}} roleRef: apiGroup: rbac.authorization.k8s.io kind: {{$userRoleKind}} name: {{.Release.Name}}-webhook-cr subjects: - kind: ServiceAccount name: {{.Release.Name}}-webhook-sa namespace: {{.Release.Namespace}} --- # Ndb operator kind: {{$bindingKind}} apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{.Release.Name}}-crb {{- if .Values.watchNamespace }} namespace: {{.Values.watchNamespace}} {{- else }} namespace: {{.Release.Namespace}} {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: {{$userRoleKind}} name: {{.Release.Name}}-cr subjects: - kind: ServiceAccount name: {{.Release.Name}}-app-sa namespace: {{.Release.Namespace}}