Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/main / . / charts / cert-manager-webhook-infoblox-wapi / templates / rbac.yaml
blob: a94c2739e98359e02f97d0e3d1d39e04805ee633 [file] [log] [blame] [edit]
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
---
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate.
# This ConfigMap is automatically created by the Kubernetes apiserver.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "webhook.fullname" . }}:webhook-authentication-reader
namespace: kube-system
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
---
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "webhook.fullname" . }}:auth-delegator
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
---
# Grant cert-manager permission to validate using our apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "webhook.fullname" . }}:domain-solver
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- {{ .Values.groupName }}
resources:
- '*'
verbs:
- 'create'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "webhook.fullname" . }}:domain-solver
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "webhook.fullname" . }}:domain-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ .Values.certManager.serviceAccountName }}
namespace: {{ .Values.certManager.namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "webhook.fullname" . }}:flowcontrol-solver
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- "flowcontrol.apiserver.k8s.io"
resources:
- 'prioritylevelconfigurations'
- 'flowschemas'
verbs:
- 'list'
- 'watch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "webhook.fullname" . }}:flowcontrol-solver
labels:
app: {{ include "webhook.name" . }}
chart: {{ include "webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "webhook.fullname" . }}:flowcontrol-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "webhook.fullname" . }}
namespace: {{ .Release.Namespace | quote }}