Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / 2ea922e57ce80e197c46f33272b86b18fb7416da / . / charts / cert-manager / templates / rbac.yaml
blob: 5e37f0cb1d55a301826c2717e7c46b56caf3b91c [file] [log] [blame]
Mohammed Naser9ad0d462023-01-15 20:36:37 -0500[diff] [blame]1{{- if .Values.global.rbac.create }}
2apiVersion: rbac.authorization.k8s.io/v1
3kind: Role
4metadata:
5 name: {{ template "cert-manager.fullname" . }}:leaderelection
6 namespace: {{ .Values.global.leaderElection.namespace }}
7 labels:
8 app: {{ include "cert-manager.name" . }}
9 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
10 app.kubernetes.io/instance: {{ .Release.Name }}
11 app.kubernetes.io/component: "controller"
12 {{- include "labels" . | nindent 4 }}
13rules:
14 # Used for leader election by the controller
15 # See also: https://github.com/kubernetes-sigs/controller-runtime/pull/1144#discussion_r480173688
16 - apiGroups: [""]
17 resources: ["configmaps"]
18 resourceNames: ["cert-manager-controller"]
19 verbs: ["get", "update", "patch"]
20 - apiGroups: [""]
21 resources: ["configmaps"]
22 verbs: ["create"]
23 - apiGroups: ["coordination.k8s.io"]
24 resources: ["leases"]
25 resourceNames: ["cert-manager-controller"]
26 verbs: ["get", "update", "patch"]
27 - apiGroups: ["coordination.k8s.io"]
28 resources: ["leases"]
29 verbs: ["create"]
30
31---
32
33# grant cert-manager permission to manage the leaderelection configmap in the
34# leader election namespace
35apiVersion: rbac.authorization.k8s.io/v1
36kind: RoleBinding
37metadata:
38 name: {{ include "cert-manager.fullname" . }}:leaderelection
39 namespace: {{ .Values.global.leaderElection.namespace }}
40 labels:
41 app: {{ include "cert-manager.name" . }}
42 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
43 app.kubernetes.io/instance: {{ .Release.Name }}
44 app.kubernetes.io/component: "controller"
45 {{- include "labels" . | nindent 4 }}
46roleRef:
47 apiGroup: rbac.authorization.k8s.io
48 kind: Role
49 name: {{ template "cert-manager.fullname" . }}:leaderelection
50subjects:
51 - apiGroup: ""
52 kind: ServiceAccount
53 name: {{ template "cert-manager.serviceAccountName" . }}
54 namespace: {{ .Release.Namespace }}
55
56---
57
58# Issuer controller role
59apiVersion: rbac.authorization.k8s.io/v1
60kind: ClusterRole
61metadata:
62 name: {{ template "cert-manager.fullname" . }}-controller-issuers
63 labels:
64 app: {{ include "cert-manager.name" . }}
65 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
66 app.kubernetes.io/instance: {{ .Release.Name }}
67 app.kubernetes.io/component: "controller"
68 {{- include "labels" . | nindent 4 }}
69rules:
70 - apiGroups: ["cert-manager.io"]
71 resources: ["issuers", "issuers/status"]
72 verbs: ["update"]
73 - apiGroups: ["cert-manager.io"]
74 resources: ["issuers"]
75 verbs: ["get", "list", "watch"]
76 - apiGroups: [""]
77 resources: ["secrets"]
78 verbs: ["get", "list", "watch", "create", "update", "delete"]
79 - apiGroups: [""]
80 resources: ["events"]
81 verbs: ["create", "patch"]
82
83---
84
85# ClusterIssuer controller role
86apiVersion: rbac.authorization.k8s.io/v1
87kind: ClusterRole
88metadata:
89 name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
90 labels:
91 app: {{ include "cert-manager.name" . }}
92 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
93 app.kubernetes.io/instance: {{ .Release.Name }}
94 app.kubernetes.io/component: "controller"
95 {{- include "labels" . | nindent 4 }}
96rules:
97 - apiGroups: ["cert-manager.io"]
98 resources: ["clusterissuers", "clusterissuers/status"]
99 verbs: ["update"]
100 - apiGroups: ["cert-manager.io"]
101 resources: ["clusterissuers"]
102 verbs: ["get", "list", "watch"]
103 - apiGroups: [""]
104 resources: ["secrets"]
105 verbs: ["get", "list", "watch", "create", "update", "delete"]
106 - apiGroups: [""]
107 resources: ["events"]
108 verbs: ["create", "patch"]
109
110---
111
112# Certificates controller role
113apiVersion: rbac.authorization.k8s.io/v1
114kind: ClusterRole
115metadata:
116 name: {{ template "cert-manager.fullname" . }}-controller-certificates
117 labels:
118 app: {{ include "cert-manager.name" . }}
119 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
120 app.kubernetes.io/instance: {{ .Release.Name }}
121 app.kubernetes.io/component: "controller"
122 {{- include "labels" . | nindent 4 }}
123rules:
124 - apiGroups: ["cert-manager.io"]
125 resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
126 verbs: ["update"]
127 - apiGroups: ["cert-manager.io"]
128 resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
129 verbs: ["get", "list", "watch"]
130 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
131 # admission controller enabled:
132 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
133 - apiGroups: ["cert-manager.io"]
134 resources: ["certificates/finalizers", "certificaterequests/finalizers"]
135 verbs: ["update"]
136 - apiGroups: ["acme.cert-manager.io"]
137 resources: ["orders"]
138 verbs: ["create", "delete", "get", "list", "watch"]
139 - apiGroups: [""]
140 resources: ["secrets"]
141 verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
142 - apiGroups: [""]
143 resources: ["events"]
144 verbs: ["create", "patch"]
145
146---
147
148# Orders controller role
149apiVersion: rbac.authorization.k8s.io/v1
150kind: ClusterRole
151metadata:
152 name: {{ template "cert-manager.fullname" . }}-controller-orders
153 labels:
154 app: {{ include "cert-manager.name" . }}
155 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
156 app.kubernetes.io/instance: {{ .Release.Name }}
157 app.kubernetes.io/component: "controller"
158 {{- include "labels" . | nindent 4 }}
159rules:
160 - apiGroups: ["acme.cert-manager.io"]
161 resources: ["orders", "orders/status"]
162 verbs: ["update"]
163 - apiGroups: ["acme.cert-manager.io"]
164 resources: ["orders", "challenges"]
165 verbs: ["get", "list", "watch"]
166 - apiGroups: ["cert-manager.io"]
167 resources: ["clusterissuers", "issuers"]
168 verbs: ["get", "list", "watch"]
169 - apiGroups: ["acme.cert-manager.io"]
170 resources: ["challenges"]
171 verbs: ["create", "delete"]
172 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
173 # admission controller enabled:
174 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
175 - apiGroups: ["acme.cert-manager.io"]
176 resources: ["orders/finalizers"]
177 verbs: ["update"]
178 - apiGroups: [""]
179 resources: ["secrets"]
180 verbs: ["get", "list", "watch"]
181 - apiGroups: [""]
182 resources: ["events"]
183 verbs: ["create", "patch"]
184
185---
186
187# Challenges controller role
188apiVersion: rbac.authorization.k8s.io/v1
189kind: ClusterRole
190metadata:
191 name: {{ template "cert-manager.fullname" . }}-controller-challenges
192 labels:
193 app: {{ include "cert-manager.name" . }}
194 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
195 app.kubernetes.io/instance: {{ .Release.Name }}
196 app.kubernetes.io/component: "controller"
197 {{- include "labels" . | nindent 4 }}
198rules:
199 # Use to update challenge resource status
200 - apiGroups: ["acme.cert-manager.io"]
201 resources: ["challenges", "challenges/status"]
202 verbs: ["update"]
203 # Used to watch challenge resources
204 - apiGroups: ["acme.cert-manager.io"]
205 resources: ["challenges"]
206 verbs: ["get", "list", "watch"]
207 # Used to watch challenges, issuer and clusterissuer resources
208 - apiGroups: ["cert-manager.io"]
209 resources: ["issuers", "clusterissuers"]
210 verbs: ["get", "list", "watch"]
211 # Need to be able to retrieve ACME account private key to complete challenges
212 - apiGroups: [""]
213 resources: ["secrets"]
214 verbs: ["get", "list", "watch"]
215 # Used to create events
216 - apiGroups: [""]
217 resources: ["events"]
218 verbs: ["create", "patch"]
219 # HTTP01 rules
220 - apiGroups: [""]
221 resources: ["pods", "services"]
222 verbs: ["get", "list", "watch", "create", "delete"]
223 - apiGroups: ["networking.k8s.io"]
224 resources: ["ingresses"]
225 verbs: ["get", "list", "watch", "create", "delete", "update"]
226 - apiGroups: [ "networking.x-k8s.io" ]
227 resources: [ "httproutes" ]
228 verbs: ["get", "list", "watch", "create", "delete", "update"]
229 # We require the ability to specify a custom hostname when we are creating
230 # new ingress resources.
231 # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
232 - apiGroups: ["route.openshift.io"]
233 resources: ["routes/custom-host"]
234 verbs: ["create"]
235 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
236 # admission controller enabled:
237 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
238 - apiGroups: ["acme.cert-manager.io"]
239 resources: ["challenges/finalizers"]
240 verbs: ["update"]
241 # DNS01 rules (duplicated above)
242 - apiGroups: [""]
243 resources: ["secrets"]
244 verbs: ["get", "list", "watch"]
245
246---
247
248# ingress-shim controller role
249apiVersion: rbac.authorization.k8s.io/v1
250kind: ClusterRole
251metadata:
252 name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
253 labels:
254 app: {{ include "cert-manager.name" . }}
255 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
256 app.kubernetes.io/instance: {{ .Release.Name }}
257 app.kubernetes.io/component: "controller"
258 {{- include "labels" . | nindent 4 }}
259rules:
260 - apiGroups: ["cert-manager.io"]
261 resources: ["certificates", "certificaterequests"]
262 verbs: ["create", "update", "delete"]
263 - apiGroups: ["cert-manager.io"]
264 resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
265 verbs: ["get", "list", "watch"]
266 - apiGroups: ["networking.k8s.io"]
267 resources: ["ingresses"]
268 verbs: ["get", "list", "watch"]
269 # We require these rules to support users with the OwnerReferencesPermissionEnforcement
270 # admission controller enabled:
271 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
272 - apiGroups: ["networking.k8s.io"]
273 resources: ["ingresses/finalizers"]
274 verbs: ["update"]
275 - apiGroups: ["networking.x-k8s.io"]
276 resources: ["gateways", "httproutes"]
277 verbs: ["get", "list", "watch"]
278 - apiGroups: ["networking.x-k8s.io"]
279 resources: ["gateways/finalizers", "httproutes/finalizers"]
280 verbs: ["update"]
281 - apiGroups: [""]
282 resources: ["events"]
283 verbs: ["create", "patch"]
284
285---
286
287apiVersion: rbac.authorization.k8s.io/v1
288kind: ClusterRoleBinding
289metadata:
290 name: {{ template "cert-manager.fullname" . }}-controller-issuers
291 labels:
292 app: {{ include "cert-manager.name" . }}
293 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
294 app.kubernetes.io/instance: {{ .Release.Name }}
295 app.kubernetes.io/component: "controller"
296 {{- include "labels" . | nindent 4 }}
297roleRef:
298 apiGroup: rbac.authorization.k8s.io
299 kind: ClusterRole
300 name: {{ template "cert-manager.fullname" . }}-controller-issuers
301subjects:
302 - name: {{ template "cert-manager.serviceAccountName" . }}
303 namespace: {{ .Release.Namespace | quote }}
304 kind: ServiceAccount
305
306---
307
308apiVersion: rbac.authorization.k8s.io/v1
309kind: ClusterRoleBinding
310metadata:
311 name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
312 labels:
313 app: {{ include "cert-manager.name" . }}
314 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
315 app.kubernetes.io/instance: {{ .Release.Name }}
316 app.kubernetes.io/component: "controller"
317 {{- include "labels" . | nindent 4 }}
318roleRef:
319 apiGroup: rbac.authorization.k8s.io
320 kind: ClusterRole
321 name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
322subjects:
323 - name: {{ template "cert-manager.serviceAccountName" . }}
324 namespace: {{ .Release.Namespace | quote }}
325 kind: ServiceAccount
326
327---
328
329apiVersion: rbac.authorization.k8s.io/v1
330kind: ClusterRoleBinding
331metadata:
332 name: {{ template "cert-manager.fullname" . }}-controller-certificates
333 labels:
334 app: {{ include "cert-manager.name" . }}
335 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
336 app.kubernetes.io/instance: {{ .Release.Name }}
337 app.kubernetes.io/component: "controller"
338 {{- include "labels" . | nindent 4 }}
339roleRef:
340 apiGroup: rbac.authorization.k8s.io
341 kind: ClusterRole
342 name: {{ template "cert-manager.fullname" . }}-controller-certificates
343subjects:
344 - name: {{ template "cert-manager.serviceAccountName" . }}
345 namespace: {{ .Release.Namespace | quote }}
346 kind: ServiceAccount
347
348---
349
350apiVersion: rbac.authorization.k8s.io/v1
351kind: ClusterRoleBinding
352metadata:
353 name: {{ template "cert-manager.fullname" . }}-controller-orders
354 labels:
355 app: {{ include "cert-manager.name" . }}
356 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
357 app.kubernetes.io/instance: {{ .Release.Name }}
358 app.kubernetes.io/component: "controller"
359 {{- include "labels" . | nindent 4 }}
360roleRef:
361 apiGroup: rbac.authorization.k8s.io
362 kind: ClusterRole
363 name: {{ template "cert-manager.fullname" . }}-controller-orders
364subjects:
365 - name: {{ template "cert-manager.serviceAccountName" . }}
366 namespace: {{ .Release.Namespace | quote }}
367 kind: ServiceAccount
368
369---
370
371apiVersion: rbac.authorization.k8s.io/v1
372kind: ClusterRoleBinding
373metadata:
374 name: {{ template "cert-manager.fullname" . }}-controller-challenges
375 labels:
376 app: {{ include "cert-manager.name" . }}
377 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
378 app.kubernetes.io/instance: {{ .Release.Name }}
379 app.kubernetes.io/component: "controller"
380 {{- include "labels" . | nindent 4 }}
381roleRef:
382 apiGroup: rbac.authorization.k8s.io
383 kind: ClusterRole
384 name: {{ template "cert-manager.fullname" . }}-controller-challenges
385subjects:
386 - name: {{ template "cert-manager.serviceAccountName" . }}
387 namespace: {{ .Release.Namespace | quote }}
388 kind: ServiceAccount
389
390---
391
392apiVersion: rbac.authorization.k8s.io/v1
393kind: ClusterRoleBinding
394metadata:
395 name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
396 labels:
397 app: {{ include "cert-manager.name" . }}
398 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
399 app.kubernetes.io/instance: {{ .Release.Name }}
400 app.kubernetes.io/component: "controller"
401 {{- include "labels" . | nindent 4 }}
402roleRef:
403 apiGroup: rbac.authorization.k8s.io
404 kind: ClusterRole
405 name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
406subjects:
407 - name: {{ template "cert-manager.serviceAccountName" . }}
408 namespace: {{ .Release.Namespace | quote }}
409 kind: ServiceAccount
410
411---
412
413apiVersion: rbac.authorization.k8s.io/v1
414kind: ClusterRole
415metadata:
416 name: {{ template "cert-manager.fullname" . }}-view
417 labels:
418 app: {{ include "cert-manager.name" . }}
419 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
420 app.kubernetes.io/instance: {{ .Release.Name }}
421 app.kubernetes.io/component: "controller"
422 {{- include "labels" . | nindent 4 }}
423 rbac.authorization.k8s.io/aggregate-to-view: "true"
424 rbac.authorization.k8s.io/aggregate-to-edit: "true"
425 rbac.authorization.k8s.io/aggregate-to-admin: "true"
426rules:
427 - apiGroups: ["cert-manager.io"]
428 resources: ["certificates", "certificaterequests", "issuers"]
429 verbs: ["get", "list", "watch"]
430 - apiGroups: ["acme.cert-manager.io"]
431 resources: ["challenges", "orders"]
432 verbs: ["get", "list", "watch"]
433
434
435---
436
437apiVersion: rbac.authorization.k8s.io/v1
438kind: ClusterRole
439metadata:
440 name: {{ template "cert-manager.fullname" . }}-edit
441 labels:
442 app: {{ include "cert-manager.name" . }}
443 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
444 app.kubernetes.io/instance: {{ .Release.Name }}
445 app.kubernetes.io/component: "controller"
446 {{- include "labels" . | nindent 4 }}
447 rbac.authorization.k8s.io/aggregate-to-edit: "true"
448 rbac.authorization.k8s.io/aggregate-to-admin: "true"
449rules:
450 - apiGroups: ["cert-manager.io"]
451 resources: ["certificates", "certificaterequests", "issuers"]
452 verbs: ["create", "delete", "deletecollection", "patch", "update"]
453 - apiGroups: ["acme.cert-manager.io"]
454 resources: ["challenges", "orders"]
455 verbs: ["create", "delete", "deletecollection", "patch", "update"]
456
457---
458
459# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
460apiVersion: rbac.authorization.k8s.io/v1
461kind: ClusterRole
462metadata:
463 name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
464 labels:
465 app: {{ include "cert-manager.name" . }}
466 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
467 app.kubernetes.io/instance: {{ .Release.Name }}
468 app.kubernetes.io/component: "cert-manager"
469 {{- include "labels" . | nindent 4 }}
470rules:
471 - apiGroups: ["cert-manager.io"]
472 resources: ["signers"]
473 verbs: ["approve"]
474 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
475
476---
477
478apiVersion: rbac.authorization.k8s.io/v1
479kind: ClusterRoleBinding
480metadata:
481 name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
482 labels:
483 app: {{ include "cert-manager.name" . }}
484 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
485 app.kubernetes.io/instance: {{ .Release.Name }}
486 app.kubernetes.io/component: "cert-manager"
487 {{- include "labels" . | nindent 4 }}
488roleRef:
489 apiGroup: rbac.authorization.k8s.io
490 kind: ClusterRole
491 name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
492subjects:
493 - name: {{ template "cert-manager.serviceAccountName" . }}
494 namespace: {{ .Release.Namespace | quote }}
495 kind: ServiceAccount
496
497---
498
499# Permission to:
500# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
501# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
502apiVersion: rbac.authorization.k8s.io/v1
503kind: ClusterRole
504metadata:
505 name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
506 labels:
507 app: {{ include "cert-manager.name" . }}
508 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
509 app.kubernetes.io/instance: {{ .Release.Name }}
510 app.kubernetes.io/component: "cert-manager"
511 {{- include "labels" . | nindent 4 }}
512rules:
513 - apiGroups: ["certificates.k8s.io"]
514 resources: ["certificatesigningrequests"]
515 verbs: ["get", "list", "watch", "update"]
516 - apiGroups: ["certificates.k8s.io"]
517 resources: ["certificatesigningrequests/status"]
518 verbs: ["update"]
519 - apiGroups: ["certificates.k8s.io"]
520 resources: ["signers"]
521 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
522 verbs: ["sign"]
523 - apiGroups: ["authorization.k8s.io"]
524 resources: ["subjectaccessreviews"]
525 verbs: ["create"]
526
527---
528
529apiVersion: rbac.authorization.k8s.io/v1
530kind: ClusterRoleBinding
531metadata:
532 name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
533 labels:
534 app: {{ include "cert-manager.name" . }}
535 app.kubernetes.io/name: {{ include "cert-manager.name" . }}
536 app.kubernetes.io/instance: {{ .Release.Name }}
537 app.kubernetes.io/component: "cert-manager"
538 {{- include "labels" . | nindent 4 }}
539roleRef:
540 apiGroup: rbac.authorization.k8s.io
541 kind: ClusterRole
542 name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
543subjects:
544 - name: {{ template "cert-manager.serviceAccountName" . }}
545 namespace: {{ .Release.Namespace | quote }}
546 kind: ServiceAccount
547{{- end }}