112 lines
2.7 KiB
YAML
112 lines
2.7 KiB
YAML
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: ClusterRole
|
||
|
metadata:
|
||
|
name: {{ include "sriov-network-operator.fullname" . }}
|
||
|
labels:
|
||
|
{{- include "sriov-network-operator.labels" . | nindent 4 }}
|
||
|
rules:
|
||
|
- apiGroups: [""]
|
||
|
resources: ["nodes"]
|
||
|
verbs: ["get", "list", "watch", "patch", "update"]
|
||
|
- apiGroups: [""]
|
||
|
resources: ["pods"]
|
||
|
verbs: ["*"]
|
||
|
- apiGroups: [""]
|
||
|
resources: ["pods/eviction"]
|
||
|
verbs: ["create"]
|
||
|
- apiGroups: ["apps"]
|
||
|
resources: ["daemonsets"]
|
||
|
verbs: ["get"]
|
||
|
- apiGroups: [""]
|
||
|
resources: ["namespaces", "serviceaccounts"]
|
||
|
verbs: ["*"]
|
||
|
- apiGroups: ["k8s.cni.cncf.io"]
|
||
|
resources: ["network-attachment-definitions"]
|
||
|
verbs: ["*"]
|
||
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
||
|
resources: [clusterroles, clusterrolebindings]
|
||
|
verbs: ["*"]
|
||
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||
|
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
|
||
|
verbs: ["*"]
|
||
|
- apiGroups: ["sriovnetwork.openshift.io"]
|
||
|
resources: ["*"]
|
||
|
verbs: ["*"]
|
||
|
- apiGroups: ["machineconfiguration.openshift.io"]
|
||
|
resources: ["*"]
|
||
|
verbs: ["*"]
|
||
|
- apiGroups: ["config.openshift.io"]
|
||
|
resources: ["infrastructures"]
|
||
|
verbs: ["get", "list", "watch"]
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: ClusterRole
|
||
|
metadata:
|
||
|
name: sriov-network-config-daemon
|
||
|
labels:
|
||
|
{{- include "sriov-network-operator.labels" . | nindent 4 }}
|
||
|
rules:
|
||
|
- apiGroups: [""]
|
||
|
resources: ["nodes"]
|
||
|
verbs: ["get", "list", "watch", "patch", "update"]
|
||
|
- apiGroups: [""]
|
||
|
resources: ["pods"]
|
||
|
verbs: ["*"]
|
||
|
- apiGroups: ["apps"]
|
||
|
resources: ["daemonsets"]
|
||
|
verbs: ["get"]
|
||
|
- apiGroups: [ "config.openshift.io" ]
|
||
|
resources: [ "infrastructures" ]
|
||
|
verbs: [ "get", "list", "watch" ]
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: ClusterRole
|
||
|
metadata:
|
||
|
name: sriov-admin
|
||
|
{{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
|
||
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||
|
{{- end }}
|
||
|
rules:
|
||
|
- apiGroups:
|
||
|
- sriovnetwork.openshift.io
|
||
|
resources:
|
||
|
- '*'
|
||
|
verbs:
|
||
|
- "get"
|
||
|
- "watch"
|
||
|
- "list"
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: ClusterRole
|
||
|
metadata:
|
||
|
name: sriov-edit
|
||
|
{{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
|
||
|
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||
|
{{- end }}
|
||
|
rules:
|
||
|
- apiGroups:
|
||
|
- sriovnetwork.openshift.io
|
||
|
resources:
|
||
|
- '*'
|
||
|
verbs:
|
||
|
- "get"
|
||
|
- "watch"
|
||
|
- "list"
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: ClusterRole
|
||
|
metadata:
|
||
|
name: sriov-view
|
||
|
{{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
|
||
|
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||
|
{{- end }}
|
||
|
rules:
|
||
|
- apiGroups:
|
||
|
- sriovnetwork.openshift.io
|
||
|
resources:
|
||
|
- '*'
|
||
|
verbs:
|
||
|
- "get"
|
||
|
- "watch"
|
||
|
- "list"
|