Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/main / . / charts / cert-manager-webhook-infoblox-wapi / templates / rbac.yaml
blob: a94c2739e98359e02f97d0e3d1d39e04805ee633 [file] [log] [blame]
Mohammed Naser7c211b72023-02-21 16:39:19 +0000[diff] [blame]1apiVersion: v1
2kind: ServiceAccount
3metadata:
4 name: {{ include "webhook.fullname" . }}
5 namespace: {{ .Release.Namespace }}
6 labels:
7 app: {{ include "webhook.name" . }}
8 chart: {{ include "webhook.chart" . }}
9 release: {{ .Release.Name }}
10 heritage: {{ .Release.Service }}
11---
12# Grant the webhook permission to read the ConfigMap containing the Kubernetes
13# apiserver's requestheader-ca-certificate.
14# This ConfigMap is automatically created by the Kubernetes apiserver.
15apiVersion: rbac.authorization.k8s.io/v1
16kind: RoleBinding
17metadata:
18 name: {{ include "webhook.fullname" . }}:webhook-authentication-reader
19 namespace: kube-system
20 labels:
21 app: {{ include "webhook.name" . }}
22 chart: {{ include "webhook.chart" . }}
23 release: {{ .Release.Name }}
24 heritage: {{ .Release.Service }}
25roleRef:
26 apiGroup: rbac.authorization.k8s.io
27 kind: Role
28 name: extension-apiserver-authentication-reader
29subjects:
30 - apiGroup: ""
31 kind: ServiceAccount
32 name: {{ include "webhook.fullname" . }}
33 namespace: {{ .Release.Namespace }}
34---
35# apiserver gets the auth-delegator role to delegate auth decisions to
36# the core apiserver
37apiVersion: rbac.authorization.k8s.io/v1
38kind: ClusterRoleBinding
39metadata:
40 name: {{ include "webhook.fullname" . }}:auth-delegator
41 labels:
42 app: {{ include "webhook.name" . }}
43 chart: {{ include "webhook.chart" . }}
44 release: {{ .Release.Name }}
45 heritage: {{ .Release.Service }}
46roleRef:
47 apiGroup: rbac.authorization.k8s.io
48 kind: ClusterRole
49 name: system:auth-delegator
50subjects:
51 - apiGroup: ""
52 kind: ServiceAccount
53 name: {{ include "webhook.fullname" . }}
54 namespace: {{ .Release.Namespace }}
55---
56# Grant cert-manager permission to validate using our apiserver
57apiVersion: rbac.authorization.k8s.io/v1
58kind: ClusterRole
59metadata:
60 name: {{ include "webhook.fullname" . }}:domain-solver
61 labels:
62 app: {{ include "webhook.name" . }}
63 chart: {{ include "webhook.chart" . }}
64 release: {{ .Release.Name }}
65 heritage: {{ .Release.Service }}
66rules:
67 - apiGroups:
68 - {{ .Values.groupName }}
69 resources:
70 - '*'
71 verbs:
72 - 'create'
73---
74apiVersion: rbac.authorization.k8s.io/v1
75kind: ClusterRoleBinding
76metadata:
77 name: {{ include "webhook.fullname" . }}:domain-solver
78 labels:
79 app: {{ include "webhook.name" . }}
80 chart: {{ include "webhook.chart" . }}
81 release: {{ .Release.Name }}
82 heritage: {{ .Release.Service }}
83roleRef:
84 apiGroup: rbac.authorization.k8s.io
85 kind: ClusterRole
86 name: {{ include "webhook.fullname" . }}:domain-solver
87subjects:
88 - apiGroup: ""
89 kind: ServiceAccount
90 name: {{ .Values.certManager.serviceAccountName }}
91 namespace: {{ .Values.certManager.namespace }}
92---
93apiVersion: rbac.authorization.k8s.io/v1
94kind: ClusterRole
95metadata:
96 name: {{ include "webhook.fullname" . }}:flowcontrol-solver
97 labels:
98 app: {{ include "webhook.name" . }}
99 chart: {{ include "webhook.chart" . }}
100 release: {{ .Release.Name }}
101 heritage: {{ .Release.Service }}
102rules:
103 - apiGroups:
104 - "flowcontrol.apiserver.k8s.io"
105 resources:
106 - 'prioritylevelconfigurations'
107 - 'flowschemas'
108 verbs:
109 - 'list'
110 - 'watch'
111---
112apiVersion: rbac.authorization.k8s.io/v1
113kind: ClusterRoleBinding
114metadata:
115 name: {{ include "webhook.fullname" . }}:flowcontrol-solver
116 labels:
117 app: {{ include "webhook.name" . }}
118 chart: {{ include "webhook.chart" . }}
119 release: {{ .Release.Name }}
120 heritage: {{ .Release.Service }}
121roleRef:
122 apiGroup: rbac.authorization.k8s.io
123 kind: ClusterRole
124 name: {{ include "webhook.fullname" . }}:flowcontrol-solver
125subjects:
126 - apiGroup: ""
127 kind: ServiceAccount
128 name: {{ include "webhook.fullname" . }}
129 namespace: {{ .Release.Namespace | quote }}