charts/ingress-nginx/templates/controller-role.yaml - atmosphere - Gitiles

 {{- if .Values.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
     {{- with .Values.controller.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
   name: {{ include "ingress-nginx.fullname" . }}
   namespace: {{ include "ingress-nginx.namespace" . }}
 rules:
   - apiGroups:
       - ""
     resources:
       - namespaces
     verbs:
       - get
   - apiGroups:
       - ""
     resources:
       - configmaps
       - pods
       - secrets
       - endpoints
     verbs:
       - get
       - list
       - watch
   - apiGroups:
       - ""
     resources:
       - services
     verbs:
       - get
       - list
       - watch
   - apiGroups:
       - networking.k8s.io
     resources:
       - ingresses
     verbs:
       - get
       - list
       - watch
   # Omit Ingress status permissions if `--update-status` is disabled.
   {{- if ne (index .Values.controller.extraArgs "update-status") "false" }}
   - apiGroups:
       - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
   {{- end }}
   - apiGroups:
       - networking.k8s.io
     resources:
       - ingressclasses
     verbs:
       - get
       - list
       - watch
   - apiGroups:
       - coordination.k8s.io
     resources:
       - leases
     resourceNames:
       - {{ include "ingress-nginx.controller.electionID" . }}
     verbs:
       - get
       - update
   - apiGroups:
       - coordination.k8s.io
     resources:
       - leases
     verbs:
       - create
   - apiGroups:
       - ""
     resources:
       - events
     verbs:
       - create
       - patch
   - apiGroups:
       - discovery.k8s.io
     resources:
       - endpointslices
     verbs:
       - list
       - watch
       - get
 {{- if .Values.podSecurityPolicy.enabled }}
   - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
     resources:      ['podsecuritypolicies']
     verbs:          ['use']
     {{- with .Values.controller.existingPsp }}
     resourceNames:  [{{ . }}]
     {{- else }}
     resourceNames:  [{{ include "ingress-nginx.fullname" . }}]
     {{- end }}
 {{- end }}
 {{- end }}
	{{- if .Values.rbac.create -}}
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	labels:
	{{- include "ingress-nginx.labels" . \| nindent 4 }}
	app.kubernetes.io/component: controller
	{{- with .Values.controller.labels }}
	{{- toYaml . \| nindent 4 }}
	{{- end }}
	name: {{ include "ingress-nginx.fullname" . }}
	namespace: {{ include "ingress-nginx.namespace" . }}
	rules:
	- apiGroups:
	- ""
	resources:
	- namespaces
	verbs:
	- get
	- apiGroups:
	- ""
	resources:
	- configmaps
	- pods
	- secrets
	- endpoints
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- ""
	resources:
	- services
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- networking.k8s.io
	resources:
	- ingresses
	verbs:
	- get
	- list
	- watch
	# Omit Ingress status permissions if `--update-status` is disabled.
	{{- if ne (index .Values.controller.extraArgs "update-status") "false" }}
	- apiGroups:
	- networking.k8s.io
	resources:
	- ingresses/status
	verbs:
	- update
	{{- end }}
	- apiGroups:
	- networking.k8s.io
	resources:
	- ingressclasses
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- coordination.k8s.io
	resources:
	- leases
	resourceNames:
	- {{ include "ingress-nginx.controller.electionID" . }}
	verbs:
	- get
	- update
	- apiGroups:
	- coordination.k8s.io
	resources:
	- leases
	verbs:
	- create
	- apiGroups:
	- ""
	resources:
	- events
	verbs:
	- create
	- patch
	- apiGroups:
	- discovery.k8s.io
	resources:
	- endpointslices
	verbs:
	- list
	- watch
	- get
	{{- if .Values.podSecurityPolicy.enabled }}
	- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
	resources: ['podsecuritypolicies']
	verbs: ['use']
	{{- with .Values.controller.existingPsp }}
	resourceNames: [{{ . }}]
	{{- else }}
	resourceNames: [{{ include "ingress-nginx.fullname" . }}]
	{{- end }}
	{{- end }}
	{{- end }}